--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package apache2/2.4.54-1~deb11u1
- From: Yadd <yadd@debian.org>
- Date: Thu, 09 Jun 2022 09:16:43 +0200
- Message-id: <165475900300.1391413.15820149131275383184.reportbug@debian007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org
[ Reason ]
Apache2 2.4.54 fixes several security issues:
* moderate: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker
to smuggle requests to the AJP server it forwards requests to.
* low: read beyond bounds in mod_isapi (CVE-2022-28330)
* low: read beyond bounds via ap_rwrite() (CVE-2022-28614)
* low: Read beyond bounds in ap_strcmp_match() (CVE-2022-28615)
* low: Denial of service in mod_lua r:parsebody (CVE-2022-29404)
* low: mod_sed denial of service (CVE-2022-30522)
* low: Information Disclosure in mod_lua with websockets (CVE-2022-30556)
* low: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)
[ Impact ]
Medium security issues
[ Tests ]
New test passed
[ Risks ]
Medium risk, Apache 2.4.54 only fixes issues. Apache 2.4.54 changelog
(as usual with Apache2 CVE references are added later in the changelog):
*) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.
*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
*) mod_md: a bug was fixed that caused very large MDomains
with the combined DNS names exceeding ~7k to fail, as
request bodies would contain partially wrong data from
uninitialized memory. This would have appeared as failure
in signing-up/renewing such configurations.
*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
*) MPM event: Restart children processes killed before idle maintenance.
*) ab: Allow for TLSv1.3 when the SSL library supports it.
*) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
transmission delays.
*) MPM event: Fix accounting of active/total processes on ungraceful restart,
*) core: make ap_escape_quotes() work correctly on strings
with more than MAX_INT/2 characters, counting quotes double.
*) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
an ACME CA. This gives a failover for renewals when several consecutive attempts
to get a certificate failed.
A new directive was added: `MDRetryDelay` sets the delay of retries.
A new directive was added: `MDRetryFailover` sets the number of errored
attempts before an alternate CA is selected for certificate renewals.
*) mod_http2: remove unused and insecure code. Fixes PR66037.
*) mod_proxy: Add backend port to log messages to
ease identification of involved service.
*) mod_http2: removing unscheduling of ongoing tasks when
connection shows potential abuse by a client. This proved
counter-productive and the abuse detection can false flag
requests using server-side-events.
Fixes <https://github.com/icing/mod_h2/issues/231>.
*) mod_md: Implement full auto status ("key: value" type status output).
Especially not only status summary counts for certificates and
OCSP stapling but also lists. Auto status format is similar to
what was used for mod_proxy_balancer.
*) mod_md: fixed a bug leading to failed transfers for OCSP
stapling information when more than 6 certificates needed
updates in the same run.
*) mod_proxy: Set a status code of 502 in case the backend just closed the
connection in reply to our forwarded request.
*) mod_md: a possible NULL pointer deref was fixed in
the JSON code for persisting time periods (start+end).
Fixes #282 on mod_md's github.
*) mod_heartmonitor: Set the documented default value
"10" for HeartbeatMaxServers instead of "0". With "0"
no shared memory slotmem was initialized.
*) mod_md: added support for managing certificates via a
local tailscale daemon for users of that secure networking.
This gives trusted certificates for tailscale assigned
domain names in the *.ts.net space.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
[ Other info ]
The whole change is available here: https://salsa.debian.org/apache-team/apache2/-/commit/6e38dd83
The debdiff only contains debian directory changes: new upstream + bad
filename in documentation.
Cheers,
Yadd
diff --git a/debian/apache2.README.Debian b/debian/apache2.README.Debian
index 325cc2a7..33fa6cbc 100644
--- a/debian/apache2.README.Debian
+++ b/debian/apache2.README.Debian
@@ -190,7 +190,7 @@ Using mod_cache_disk
To ensure that the disk cache does not grow indefinitely, htcacheclean is
started when mod_cache_disk is enabled. Both daemon and cron (daily) mode
are supported. The configuration (run mode, cache size, etc.) is in
-'/etc/default/apache2'.
+'/etc/default/apache-htcacheclean'.
Normally, htcacheclean is automatically started and stopped by
'/etc/init.d/apache2'. However, if you change the state of mod_cache_disk or
diff --git a/debian/changelog b/debian/changelog
index eedee830..e654f005 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+apache2 (2.4.54-1~deb11u1) bullseye; urgency=medium
+
+ [ Yadd ]
+ * Fix htcacheclean doc (Closes: #1010455)
+
+ [ Yadd ]
+ * New upstream version 2.4.54 (closes: #1012513, CVE-2022-31813,
+ CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404,
+ CVE-2022-30522, CVE-2022-30556, CVE-2022-28330)
+
+ -- Yadd <yadd@debian.org> Thu, 09 Jun 2022 06:26:43 +0200
+
apache2 (2.4.53-1~deb11u1) bullseye; urgency=medium
* New upstream version 2.4.53 (Closes: CVE-2022-22719,
--- End Message ---