Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 891211 (CVE-2006-20001, CVE-2022-36760, CVE-2022-37436) - <www-servers/apache-2.4.55: multiple vulnerabilities
Summary: <www-servers/apache-2.4.55: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2006-20001, CVE-2022-36760, CVE-2022-37436
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://httpd.apache.org/security/vul...
Whiteboard: B3 [glsa+]
Keywords: PullRequest
Depends on: 894146
Blocks:
  Show dependency tree
 
Reported: 2023-01-17 17:25 UTC by John Helmert III
Modified: 2023-09-08 19:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-17 17:25:08 UTC
"Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client."

Please bump to 2.4.55.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-17 20:42:53 UTC
CVE-2006-20001:

moderate: mod_dav out of bounds read, or write of zero byte

    A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.

CVE-2022-36760:

moderate: Apache HTTP Server: mod_proxy_ajp Possible request smuggling

    Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Comment 2 Larry the Git Cow gentoo-dev 2023-01-26 05:16:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7746e82a552fd40abcdcbddfd4cd773f97b87443

commit 7746e82a552fd40abcdcbddfd4cd773f97b87443
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2023-01-25 14:24:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-26 05:06:14 +0000

    www-servers/apache: add 2.4.55
    
    Bug: https://bugs.gentoo.org/891211
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/29263
    Signed-off-by: Sam James <sam@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.55.ebuild | 259 ++++++++++++++++++++++++++++++++
 2 files changed, 260 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-19 02:52:23 UTC
GLSA request filed.
Comment 4 Larry the Git Cow gentoo-dev 2023-09-08 19:24:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c436d88493a5c8eec9b1f8a63799d35dd75d3372

commit c436d88493a5c8eec9b1f8a63799d35dd75d3372
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-08 19:12:28 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-09-08 19:18:31 +0000

    [ GLSA 202309-01 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/891211
    Bug: https://bugs.gentoo.org/900416
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202309-01.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)