Bug#1029123: bullseye-pu: package apache2/2.4.55-1~deb11u1

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Wed, 2023-01-18 at 11:25 +0400, Yadd wrote:
> Apache2 has 3 new security issues:
>  * CVE-2006-20001: mod_dav out of bounds read, or write of zero byte.
>    A carefully crafted If: request header can cause a memory read, or
> write
>    of a single zero byte, in a pool (heap) memory location beyond the
> header
>    value sent. This could cause the process to crash.
>  * CVE-2022-36760: mod_proxy_ajp Possible request smuggling.
>    Inconsistent Interpretation of HTTP Requests ('HTTP Request
> Smuggling')
>    vulnerability in mod_proxy_ajp of Apache HTTP Server allows an
> attacker
>    to smuggle requests to the AJP server it forwards requests to.
>  * CVE-2022-37436: mod_proxy prior to 2.4.55 allows a backend to
> trigger HTTP
>    response splitting.
>    A malicious backend can cause the response headers to be truncated
> early,
>    resulting in some headers being incorporated into the response
> body. If
>    the later headers have any security purpose, they will not be
> interpreted
>    by the client.

Apologies for letting this fall through the cracks until now.

>From comments in #1032977, it sounds as if this request has been
effectively superseded by an impending DSA release?

Regards,

Adam