Advisories » MGASA-2023-0100

Updated apache packages fix security vulnerability

Publication date: 18 Mar 2023
Modification date: 18 Mar 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-25690 , CVE-2023-27522

Description

Some mod_proxy configurations on Apache HTTP Server allow a HTTP request
smuggling attack. Configurations are affected when mod_proxy is enabled
along with some form of RewriteRule or ProxyPassMatch in which a
non-specific pattern matches some portion of the user-supplied
request-target (URL) data and is then re-inserted into the proxied
request-target using variable substitution. (CVE-2023-25690)
HTTP Response Smuggling vulnerability in Apache HTTP Server via
mod_proxy_uwsgi. This issue affects Apache HTTP Server. Special
characters in the origin response header can truncate/split the response
forwarded to the client. (CVE-2023-27522)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=31644
• https://downloads.apache.org/httpd/CHANGES_2.4.56
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25690
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27522

SRPMS

8/core

• apache-2.4.56-1.mga8