Re: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?

To: Philipp Hahn <hahn@univention.de>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?
From: roucaries bastien <roucaries.bastien+debian@gmail.com>
Date: Thu, 20 Apr 2023 19:24:39 +0000
Message-id: <[🔎] CAE2SPAbbN2iY4Bk8xre1jLW4qEMv8mXPt9gdPbmpaP3TMcFwZg@mail.gmail.com>
In-reply-to: <[🔎] 456edd06-694d-6a10-0cd2-c9d12fcc9f49@univention.de>
References: <c10c285c-b39a-27dd-7ec4-6567feb00cf8@univention.de> <[🔎] 456edd06-694d-6a10-0cd2-c9d12fcc9f49@univention.de>

Hi Philipp,

I am working hard to reproduce the CVE and close on for good. I have a
regression test for this near ready.

They are also some regression by applying this patch to perfectly
correct configuration what will be now rejected.

I am asking the opinion of apache maintainer/security team before releasing.

Thanks for remainder

Bastien

Le jeu. 20 avr. 2023 à 12:33, Philipp Hahn <hahn@univention.de> a écrit :
>
> Hello fellow DDs,
>
> I was redirected here by Moritz:
>
> -------- Weitergeleitete Nachricht --------
> Betreff: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?
> Datum: Thu, 20 Apr 2023 12:05:19 +0200
> Von: Philipp Hahn <hahn@univention.de>
> Organisation: Univention GmbH
> An: team@security.debian.org, Raphael Hertzog <raphael@freexian.com>
> Kopie (CC): Salvatore Bonaccorso <carnil@debian.org>, Debian Apache
> Maintainers <debian-apache@lists.debian.org>
>
> Hello fellow DDs,
>
> sorry for wasting your valuable time, but
> <https://security-tracker.debian.org/tracker/CVE-2023-25690> lists
> "2.4.38-3+deb10u9" from Debian-10-Buster as still vulnerable.
> Are there any plans to back-port the change to that older version, e.g.
> - Debian-10-Buster Security
> - Debian-9-Stretch ELTS (Freexian)
>
> If this is already some work-in-progress maybe you can share some
> information on the progress and if there is an estimated time frame.
>
> According to my own research
> <https://github.com/apache/httpd/commit/8789f6bb926fa4c33b4231a8444340515c82bdff>
> and
> <https://github.com/apache/httpd/commit/8b93a6512f14f5f68887ddfe677e91233ed79fb0>
> apply cleanly also to both 2.4.25-3+deb9u14 and 2.4.38-3+deb10u9. Ubuntu
> seems to go with just these two commits:
> <https://ubuntu.com/security/CVE-2023-25690>
>
> Thank you for your work and time
> --
> Philipp Hahn
> Open Source Software Engineer
>
> Univention GmbH
> be open.
> Mary-Somerville-Str. 1
> D-28359 Bremen
>
> 📞 +49-421-22232-57
> 🖶 +49-421-22232-99
>
> ✉️ hahn@univention.de
> 🌐 https://www.univention.de/
>
> Geschäftsführer: Peter H. Ganten, Stefan Gohmann
> HRB 20755 Amtsgericht Bremen
> Steuer-Nr.: 71-597-02876
>

Reply to:

Follow-Ups:
- Re: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?
  - From: Roberto C. Sánchez <roberto@debian.org>

References:
- Fwd: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?
  - From: Philipp Hahn <hahn@univention.de>

Prev by Date: Fwd: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?
Next by Date: Re: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?
Previous by thread: Fwd: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?
Next by thread: Re: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?
Index(es):
- Date
- Thread