Debian alert DLA-3351-1 (apache2)
| From: | Mark Lee Garrett <lee@master.debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 3351-1] apache2 security update | |
| Date: | Fri, 03 Mar 2023 16:35:17 +0000 | |
| Message-ID: | <ZAIhxaIQSK4vLBMv@master.debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3351-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Lee Garrett March 03, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : apache2 Version : 2.4.38-3+deb10u9 CVE ID : CVE-2006-20001 CVE-2021-33193 CVE-2022-36760 CVE-2022-37436 Multiple security vulnerabilities have been discovered in Apache HTTP server. CVE-2006-20001 A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. CVE-2021-33193 A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. CVE-2022-36760 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. CVE-2022-37436 A malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. For Debian 10 buster, these problems have been fixed in version 2.4.38-3+deb10u9. We recommend that you upgrade your apache2 packages. For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmQCIC8ACgkQ1gShxII+ 4Ph6QB/+NNlPFlLfqaYTQVZrgDD1znnhV22n05/pFKaPP2ASH+J6pwd4aAiD2/FI dkLwYNLTTY36SV8/k6gR8mSqZKDizmbQ2Y2l/MBC0nu0muZlgefzVPOOcC1Zj7DP L4PcIoAtIWK5rHoLbB2aDTVT65DjaeoeFQHjsPPNoWJL5xUzifHOOCqWeqC+Cq1c hl+Y29Sa2mCXI9yn9ZsrZm8UL5dT7y17IazDKNEaFAQGERyuqpWyudqCMW6i0JyV dham2U/kAsy5Mi9BbEZixkGB0QVU/Tr2d6M+/FZrD5LEFm1zLPSOVJ0r4IZwhv58 54UN0Vph42ry+2nMlXtKkz8lVp1if2tfp70fXCEsZLttLpjtYZv9K89F2luJtWUn LhIFzOKMJOAWjOUSMRO0akt8Vwwm1BKlX/GSgjje2XaAYbGNweWxgbWKkLMlcsce lwqOoft8r+nqa0JF4Lg29tjyhKjliSh9gqMq5YRTGrBbRQnGoNXphmphxUBCoDkY q6K8rr2/Rq9ObpxbR+rDT6HovRGS4zGystPTWs/sVLXv+xQO7cfQ9UMaw7yjM8Mb X3iXS4KdRvYAWPU+f5/xnCuLvaFcPYc8VFF3m9n0AWCGQw6+/75QT0KFLPhZjIiv ZiA0bt9qFcs9I3e7epb//wm0h8ZV+abls41zGt2ot6xac5Asuk9YcLEvmR3KdsS9 Goga6TfkDdvROxKbdWQxN2zG7R2FhnF5TiEfk0Nul3SjaI964k0/n/VIfgk/pw0J SZIdWHVJ2ayiap+anJvxvJWkWOI2W+2K8gt9Ten9hIpaJ9nBTyPvGkDpTxOm8UB3 HJ0H64zLK4rFkVknSDhoSlHiw8HSaQgrPRKn+TJ5nqLpaEOAt9Tp5l3DdsUuO0xq cNgnr0Me8QmaAQOUm/GONZDoomaPR8+FNINTRAFbOAn3sA0bVcGX0nV7v8+Yz8UP o6W5/LoK3tGzEvBhimbP8lAbuPt5372CMnpUAI3glNoEN0ITJHPtS/+NmkVX/h2T Y2RHwD01erKWcqFdXGa7Fv6p5S9KuluP4fCjTSiWTWYgv+ztLxXxffrDhAM2hbeo HnAtZhqyHfHaPccTN1WaYc472BSluLsYDoIOe5iYlM/+Bi7mxvCqhc60fNB+WIL5 RPVdjO7mfhlWZ5UAxqgAKEDcKsPY/zBTvoXiIhca9HKz/0LcC94X8q8Js77VH2Ph EyUAyCV+tN+FOmSnz8fV9834PS3EBRYLH4rioRu+qt1vnZ/cTEUAYSKLZkfA87xo 7+vAevloVz+Ue7qjnBD+iLDR5L6EyM3SjQHbQ9llQ/Oz/b80GWI5NOoDyD0nFL/2 l+oQFtAhGViz3mQA7UFztsF1RzCLVA== =L5AZ -----END PGP SIGNATURE-----