[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3351-1] apache2 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3351-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Lee Garrett
March 03, 2023                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : apache2
Version        : 2.4.38-3+deb10u9
CVE ID         : CVE-2006-20001 CVE-2021-33193 CVE-2022-36760
                 CVE-2022-37436

Multiple security vulnerabilities have been discovered in Apache HTTP
server.

CVE-2006-20001

A carefully crafted If: request header can cause a memory read, or write
of a single zero byte, in a pool (heap) memory location beyond the header
value sent. This could cause the process to crash.

CVE-2021-33193

A crafted method sent through HTTP/2 will bypass validation and be
forwarded by mod_proxy, which can lead to request splitting or cache
poisoning.

CVE-2022-36760

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to
smuggle requests to the AJP server it forwards requests to.

CVE-2022-37436

A malicious backend can cause the response headers to be truncated early,
resulting in some headers being incorporated into the response body. If
the later headers have any security purpose, they will not be interpreted
by the client.

For Debian 10 buster, these problems have been fixed in version
2.4.38-3+deb10u9.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmQCIC8ACgkQ1gShxII+
4Ph6QB/+NNlPFlLfqaYTQVZrgDD1znnhV22n05/pFKaPP2ASH+J6pwd4aAiD2/FI
dkLwYNLTTY36SV8/k6gR8mSqZKDizmbQ2Y2l/MBC0nu0muZlgefzVPOOcC1Zj7DP
L4PcIoAtIWK5rHoLbB2aDTVT65DjaeoeFQHjsPPNoWJL5xUzifHOOCqWeqC+Cq1c
hl+Y29Sa2mCXI9yn9ZsrZm8UL5dT7y17IazDKNEaFAQGERyuqpWyudqCMW6i0JyV
dham2U/kAsy5Mi9BbEZixkGB0QVU/Tr2d6M+/FZrD5LEFm1zLPSOVJ0r4IZwhv58
54UN0Vph42ry+2nMlXtKkz8lVp1if2tfp70fXCEsZLttLpjtYZv9K89F2luJtWUn
LhIFzOKMJOAWjOUSMRO0akt8Vwwm1BKlX/GSgjje2XaAYbGNweWxgbWKkLMlcsce
lwqOoft8r+nqa0JF4Lg29tjyhKjliSh9gqMq5YRTGrBbRQnGoNXphmphxUBCoDkY
q6K8rr2/Rq9ObpxbR+rDT6HovRGS4zGystPTWs/sVLXv+xQO7cfQ9UMaw7yjM8Mb
X3iXS4KdRvYAWPU+f5/xnCuLvaFcPYc8VFF3m9n0AWCGQw6+/75QT0KFLPhZjIiv
ZiA0bt9qFcs9I3e7epb//wm0h8ZV+abls41zGt2ot6xac5Asuk9YcLEvmR3KdsS9
Goga6TfkDdvROxKbdWQxN2zG7R2FhnF5TiEfk0Nul3SjaI964k0/n/VIfgk/pw0J
SZIdWHVJ2ayiap+anJvxvJWkWOI2W+2K8gt9Ten9hIpaJ9nBTyPvGkDpTxOm8UB3
HJ0H64zLK4rFkVknSDhoSlHiw8HSaQgrPRKn+TJ5nqLpaEOAt9Tp5l3DdsUuO0xq
cNgnr0Me8QmaAQOUm/GONZDoomaPR8+FNINTRAFbOAn3sA0bVcGX0nV7v8+Yz8UP
o6W5/LoK3tGzEvBhimbP8lAbuPt5372CMnpUAI3glNoEN0ITJHPtS/+NmkVX/h2T
Y2RHwD01erKWcqFdXGa7Fv6p5S9KuluP4fCjTSiWTWYgv+ztLxXxffrDhAM2hbeo
HnAtZhqyHfHaPccTN1WaYc472BSluLsYDoIOe5iYlM/+Bi7mxvCqhc60fNB+WIL5
RPVdjO7mfhlWZ5UAxqgAKEDcKsPY/zBTvoXiIhca9HKz/0LcC94X8q8Js77VH2Ph
EyUAyCV+tN+FOmSnz8fV9834PS3EBRYLH4rioRu+qt1vnZ/cTEUAYSKLZkfA87xo
7+vAevloVz+Ue7qjnBD+iLDR5L6EyM3SjQHbQ9llQ/Oz/b80GWI5NOoDyD0nFL/2
l+oQFtAhGViz3mQA7UFztsF1RzCLVA==
=L5AZ
-----END PGP SIGNATURE-----


Reply to: