Re: Three Apache2 vulnerabilities

[Sylvain Beucler <beuc@beuc.net>]

Hello Marc,

One LTS contributor (Lee) claimed the package a few days ago, so an 
update is underway.

Apache2 for LTS has multiple sponsors, so it has good priority within 
the work queue.

As for bullseye, an update is planned for the next point release:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029123
("no-dsa" can be misleading)

Cheers!
Sylvain Beucler
Debian LTS Team

On 02/02/2023 08:39, Marc SCHAEFER wrote:
> Hello,
>
> CERT-FR considers three new Apache2 vulnerabilities to be of concern [1].
>
> These are:
>
> CVE-2022-37436 [2]
> CVE-2022-36760 [3]
> CVE-2006-20001 [4]
>
> The first one will modify how clients may apply some security headers if a
> malicious backend triggers this bug (some headers will be in the response
> body). Ranke as 5.3 MEDIUM.
>
> The second one is specific to mod_proxy_ajp, aka Java/tomcat backend.
> Ranked as 9.0 CRITICAL.
>
> The third one is a very old vulnerability in webdav, which is a read of one
> byte or buffer head overflow of 1 byte. This is ranked as 7.5 / HIGH.
>
> My personal ranks are: don't care (my backends are not malicious :->), don't
> care (I don't run any Java software per policy). The last one bothers me more.
>
> Do you know when this will be fixed in LTS?
>
> The Security tracker [5] tells me that bullseye is not fixed yet either, and
> the no-DSA bothers me.
>
> Thank you for looking into this.
>
> [1] https://www.cert.ssi.gouv.fr/avis/CERTFR-2023-AVI-0035/?s=09
> [2] https://www.cve.org/CVERecord?id=CVE-2022-37436
> [3] https://www.cve.org/CVERecord?id=CVE-2022-36760
> [4] https://www.cve.org/CVERecord?id=CVE-2006-20001
> [5] https://security-tracker.debian.org/tracker/source-package/apache2