Bug#1029123: bullseye-pu: package apache2/2.4.55-1~deb11u1

[Salvatore Bonaccorso <carnil@debian.org>]

Hi,

On Sat, Mar 18, 2023 at 05:42:40PM +0000, Adam D. Barratt wrote:
> On Wed, 2023-01-18 at 11:25 +0400, Yadd wrote:
> > Apache2 has 3 new security issues:
> >  * CVE-2006-20001: mod_dav out of bounds read, or write of zero byte.
> >    A carefully crafted If: request header can cause a memory read, or
> > write
> >    of a single zero byte, in a pool (heap) memory location beyond the
> > header
> >    value sent. This could cause the process to crash.
> >  * CVE-2022-36760: mod_proxy_ajp Possible request smuggling.
> >    Inconsistent Interpretation of HTTP Requests ('HTTP Request
> > Smuggling')
> >    vulnerability in mod_proxy_ajp of Apache HTTP Server allows an
> > attacker
> >    to smuggle requests to the AJP server it forwards requests to.
> >  * CVE-2022-37436: mod_proxy prior to 2.4.55 allows a backend to
> > trigger HTTP
> >    response splitting.
> >    A malicious backend can cause the response headers to be truncated
> > early,
> >    resulting in some headers being incorporated into the response
> > body. If
> >    the later headers have any security purpose, they will not be
> > interpreted
> >    by the client.
> 
> Apologies for letting this fall through the cracks until now.
> 
> >From comments in #1032977, it sounds as if this request has been
> effectively superseded by an impending DSA release?

Yes, there will be a DSA release for apache2 based on 2.4.56 upstream
(versioned 2.4.56-1~deb11u1), which will include those changes as
well.

Regards,
Salvatore