Re: Review of DLA apache2

To: debian-l10n-english@lists.debian.org
Cc: Bastien Roucariès <rouca@debian.org>
Subject: Re: Review of DLA apache2
From: Justin B Rye <justin.byam.rye@gmail.com>
Date: Mon, 24 Apr 2023 10:13:01 +0100
Message-id: <[🔎] ZEZIHcJ2EmtGLf7g@jbr.me.uk>
Mail-followup-to: debian-l10n-english@lists.debian.org, Bastien Roucariès <rouca@debian.org>
In-reply-to: <[🔎] 1756999.czd03JSYVG@portable-bastien>
References: <[🔎] 1756999.czd03JSYVG@portable-bastien>

Bastien Roucariès wrote: 
> Could you review the freetext form of this DLA ?

Okay:

> Several vulnerabilities have been discovered in apache2 a
> webserver that may be used as front-end proxy for other applications.

This needs a comma - "apache2, a webserver".

>
> These vulnerabilities may lead to HTTP request smuggling, and thus
> may lead to bypass front-end security controls.
              ~~~~~~
Make that: "may lead to the bypassing of front-end security controls".
Or less repetitively:
  These vulnerabilities may lead to HTTP request smuggling, and thus
  to front-end security controls being bypassed.

> Unfortunately, fixing these security vulnerability may need some
> change on configuration files.

Make that "may require changes to configuration files".

> Some out of specification  RewriteRule directives that were
> previously silently accepted, are now rejected with error AH10409.

(Apache errorcodes are annoyingly hard to find information about,
but I suppose at least people will be able to find this DLA!)

  Some out-of-specification RewriteRule directives that were
  previously silently accepted, are now rejected with error AH10409.

> For instance some RewriteRules that included back-references and
> flags [NC,L]  need now to be written with quoted like flags
> "[QSA,L,B= ?,BNP]".

This has problems that I can't fix because I don't understand it.
What exactly triggers the problem - is it perhaps rules with
 a) back-references, whatever that means in this context, AND
 b) a specific [NC] (NoCase) flag, AND
 c) an [L] (Last) flag?
Except that this was just a "for instance", so how many other things
might trigger the problem?  And why when explaining how they need to
be quoted does the set of flags also change?  Ah; maybe the quotes are
a red herring?  The flags given are extra ones to modify escaping of
query strings, though I still don't see why it keeps Last but throws
out NoCase...

My best guess for now:
  For instance, some RewriteRules that included a back-reference and
  the flags "[L,NC]" will need to be written with extra escaping flags
  such as "[B= ?,BNP,QSA]".

>  * CVE-2023-27522
>   HTTP Response Smuggling in mod_proxy_uwsgi
>  * CVE-2023-25690
>     Some mod_proxy configurations allow a HTTP

That should be "an HTTP"

>     Request Smuggling attack. Configurations are affected
>     when mod_proxy is enabled along with some form of RewriteRule
>     or ProxyPassMatch in which a non-specific pattern matches
>     some portion of the user-supplied request-target (URL)
>     data and is then re-inserted into the proxied request-target
>     using variable substitution.

Any hope of including a link to some detailed explanation elsewhere?
The best I could find was just
 https://httpd.apache.org/docs/2.4/rewrite/flags.html

-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

Reply to:

References:
- Review of DLA apache2
  - From: Bastien Roucariès <rouca@debian.org>

Prev by Date: Review of DLA apache2
Previous by thread: Review of DLA apache2
Index(es):
- Date
- Thread