Hi,
Could you review the freetext form of this DLA ?
Several vulnerabilities have been discovered in apache2 a webserver that may be used as front-end proxy for other applications.
These vulnerabilities may lead to HTTP request smuggling, and thus may lead to bypass front-end security controls.
Unfortunately, fixing these security vulnerability may need some change on configuration files. Some out of specification RewriteRule directives that were previously silently accepted, are now rejected with error AH10409. For instance some RewriteRules that included back-references and flags [NC,L] need now to be written with quoted like flags "[QSA,L,B= ?,BNP]".
* CVE-2023-27522
HTTP Response Smuggling in mod_proxy_uwsgi
* CVE-2023-25690
Some mod_proxy configurations allow a HTTP
Request Smuggling attack. Configurations are affected
when mod_proxy is enabled along with some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL)
data and is then re-inserted into the proxied request-target
using variable substitution.Attachment:
signature.asc
Description: This is a digitally signed message part.