MGASA-2022-0228 - Updated apache packages fix security vulnerability

Publication date: 13 Jun 2022
URL: https://advisories.mageia.org/MGASA-2022-0228.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-26377,
     CVE-2022-28615,
     CVE-2022-29404,
     CVE-2022-30556,
     CVE-2022-31813

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to
smuggle requests to the AJP server it forwards requests to. This issue
affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior
versions. (CVE-2022-26377)
Apache HTTP Server 2.4.53 and earlier may crash or disclose information
due to a read beyond bounds in ap_strcmp_match() when provided with an
extremely large input buffer. While no code distributed with the server
can be coerced into such a call, third-party modules or lua scripts that
use ap_strcmp_match() may hypothetically be affected. (CVE-2022-28615)
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua
script that calls r:parsebody(0) may cause a denial of service due to no
default limit on possible input size. (CVE-2022-29404)
Apache HTTP Server 2.4.53 and earlier may return lengths to applications
calling r:wsread() that point past the end of the storage allocated for
the buffer. (CVE-2022-30556)
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-*
headers to the origin server based on client side Connection header
hop-by-hop mechanism. This may be used to bypass IP based authentication
on the origin server/application. (CVE-2022-31813)

References:
- https://bugs.mageia.org/show_bug.cgi?id=30529
- - https://httpd.apache.org/security/vulnerabilities_24.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813

SRPMS:
- 8/core/apache-2.4.54-1.mga8

Mageia 2022-0228: apache security update

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP serve...

Summary

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. (CVE-2022-26377) Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. (CVE-2022-28615) In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. (CVE-2022-29404) Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. (CVE-2022-30556) Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. (CVE-2022-31813)

References

- https://bugs.mageia.org/show_bug.cgi?id=30529

- - https://httpd.apache.org/security/vulnerabilities_24.html

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813

Resolution

MGASA-2022-0228 - Updated apache packages fix security vulnerability

SRPMS

- 8/core/apache-2.4.54-1.mga8

Severity
Publication date: 13 Jun 2022
URL: https://advisories.mageia.org/MGASA-2022-0228.html
Type: security
CVE: CVE-2022-26377, CVE-2022-28615, CVE-2022-29404, CVE-2022-30556, CVE-2022-31813

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved