900416 – (CVE-2023-25690, CVE-2023-27522) <www-servers/apache-2.4.56: multiple vulnerabilities

Bug 900416 (CVE-2023-25690, CVE-2023-27522) - <www-servers/apache-2.4.56: multiple vulnerabilities

Summary: <www-servers/apache-2.4.56: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2023-25690, CVE-2023-27522

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://httpd.apache.org/security/vul...
Whiteboard:	B4 [glsa+]
Keywords:	PullRequest

Depends on:	903493
Blocks:
	Show dependency tree

Reported:	2023-03-08 15:55 UTC by John Helmert III
Modified:	2023-09-17 06:32 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/30021
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-03-08 15:55:16 UTC

CVE-2023-25690:

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.

CVE-2023-27522:

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.

Please bump to 2.4.56.

Comment 1 Larry the Git Cow gentoo-dev

2023-03-11 11:17:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=491e42d2897839a8f980080579044f9dd97d818d

commit 491e42d2897839a8f980080579044f9dd97d818d
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2023-03-11 08:56:36 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-03-11 11:17:46 +0000

    www-servers/apache: add 2.4.56
    
    Bug: https://bugs.gentoo.org/900416
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.56.ebuild | 259 ++++++++++++++++++++++++++++++++
 2 files changed, 260 insertions(+)

Comment 2 Hans de Graaff gentoo-dev

2023-06-16 06:18:54 UTC

Cleanup done.

Comment 3 Tim Hammer 2023-06-16 13:28:39 UTC

Curious as to why no GLSA has been created for CVE-2023-25690 or CVE- 2023-27522?

Comment 4 John Helmert III archtester

2023-06-19 02:52:29 UTC

GLSA request filed.

Comment 5 Larry the Git Cow gentoo-dev

2023-09-08 19:24:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c436d88493a5c8eec9b1f8a63799d35dd75d3372

commit c436d88493a5c8eec9b1f8a63799d35dd75d3372
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-08 19:12:28 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-09-08 19:18:31 +0000

    [ GLSA 202309-01 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/891211
    Bug: https://bugs.gentoo.org/900416
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202309-01.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)