Hi, Could you review the freetext form of this DLA ? Several vulnerabilities have been discovered in apache2 a webserver that may be used as front-end proxy for other applications. These vulnerabilities may lead to HTTP request smuggling, and thus may lead to bypass front-end security controls. Unfortunately, fixing these security vulnerability may need some change on configuration files. Some out of specification RewriteRule directives that were previously silently accepted, are now rejected with error AH10409. For instance some RewriteRules that included back-references and flags [NC,L] need now to be written with quoted like flags "[QSA,L,B= ?,BNP]". * CVE-2023-27522 HTTP Response Smuggling in mod_proxy_uwsgi * CVE-2023-25690 Some mod_proxy configurations allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
Attachment:
signature.asc
Description: This is a digitally signed message part.