Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1380 apache2 security update 6 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: apache2 Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-37436 CVE-2022-36760 CVE-2021-33193 CVE-2006-20001 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/03/msg00002.html Comment: CVSS (Max): 9.0 CVE-2022-36760 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3351-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Lee Garrett March 03, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : apache2 Version : 2.4.38-3+deb10u9 CVE ID : CVE-2006-20001 CVE-2021-33193 CVE-2022-36760 CVE-2022-37436 Multiple security vulnerabilities have been discovered in Apache HTTP server. CVE-2006-20001 A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. CVE-2021-33193 A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. CVE-2022-36760 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. CVE-2022-37436 A malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. For Debian 10 buster, these problems have been fixed in version 2.4.38-3+deb10u9. We recommend that you upgrade your apache2 packages. For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmQCIC8ACgkQ1gShxII+ 4Ph6QB/+NNlPFlLfqaYTQVZrgDD1znnhV22n05/pFKaPP2ASH+J6pwd4aAiD2/FI dkLwYNLTTY36SV8/k6gR8mSqZKDizmbQ2Y2l/MBC0nu0muZlgefzVPOOcC1Zj7DP L4PcIoAtIWK5rHoLbB2aDTVT65DjaeoeFQHjsPPNoWJL5xUzifHOOCqWeqC+Cq1c hl+Y29Sa2mCXI9yn9ZsrZm8UL5dT7y17IazDKNEaFAQGERyuqpWyudqCMW6i0JyV dham2U/kAsy5Mi9BbEZixkGB0QVU/Tr2d6M+/FZrD5LEFm1zLPSOVJ0r4IZwhv58 54UN0Vph42ry+2nMlXtKkz8lVp1if2tfp70fXCEsZLttLpjtYZv9K89F2luJtWUn LhIFzOKMJOAWjOUSMRO0akt8Vwwm1BKlX/GSgjje2XaAYbGNweWxgbWKkLMlcsce lwqOoft8r+nqa0JF4Lg29tjyhKjliSh9gqMq5YRTGrBbRQnGoNXphmphxUBCoDkY q6K8rr2/Rq9ObpxbR+rDT6HovRGS4zGystPTWs/sVLXv+xQO7cfQ9UMaw7yjM8Mb X3iXS4KdRvYAWPU+f5/xnCuLvaFcPYc8VFF3m9n0AWCGQw6+/75QT0KFLPhZjIiv ZiA0bt9qFcs9I3e7epb//wm0h8ZV+abls41zGt2ot6xac5Asuk9YcLEvmR3KdsS9 Goga6TfkDdvROxKbdWQxN2zG7R2FhnF5TiEfk0Nul3SjaI964k0/n/VIfgk/pw0J SZIdWHVJ2ayiap+anJvxvJWkWOI2W+2K8gt9Ten9hIpaJ9nBTyPvGkDpTxOm8UB3 HJ0H64zLK4rFkVknSDhoSlHiw8HSaQgrPRKn+TJ5nqLpaEOAt9Tp5l3DdsUuO0xq cNgnr0Me8QmaAQOUm/GONZDoomaPR8+FNINTRAFbOAn3sA0bVcGX0nV7v8+Yz8UP o6W5/LoK3tGzEvBhimbP8lAbuPt5372CMnpUAI3glNoEN0ITJHPtS/+NmkVX/h2T Y2RHwD01erKWcqFdXGa7Fv6p5S9KuluP4fCjTSiWTWYgv+ztLxXxffrDhAM2hbeo HnAtZhqyHfHaPccTN1WaYc472BSluLsYDoIOe5iYlM/+Bi7mxvCqhc60fNB+WIL5 RPVdjO7mfhlWZ5UAxqgAKEDcKsPY/zBTvoXiIhca9HKz/0LcC94X8q8Js77VH2Ph EyUAyCV+tN+FOmSnz8fV9834PS3EBRYLH4rioRu+qt1vnZ/cTEUAYSKLZkfA87xo 7+vAevloVz+Ue7qjnBD+iLDR5L6EyM3SjQHbQ9llQ/Oz/b80GWI5NOoDyD0nFL/2 l+oQFtAhGViz3mQA7UFztsF1RzCLVA== =L5AZ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZAVQgMkNZI30y1K9AQimDg//YvDQ75zg9uf66GydzWCSqT7yW6jGuH8d 573h+YiLz8QZnxT4Lnbg7v9ZCXBoRQjBAt4ueIUZs9hRK8ien4xG4beJScnYfnXB lLYgY54DcHuxjKLJL06SfJACPQolWmgRUovsCItitS6FdSFgRphGLPN3uhE1xcVi AcNxYF4mLxwpdArseszAAxRyjzRRWC4MxnN/mR4Iik1u7crlrF9ioGIJUL+exdiI c9Gpj9TS7TszMJ44pVVOLGu6wl8Sv9EoYKHT1WW1k/JCA24Jjx++n3tLAsQICTN/ mNE1hST11hXavJHrTyHSMUwUaBf88/fv1M781Jt4ZTs5W471tQuNuXQp6GHVjzlQ HcUhYpP4/HsG3ivB/tY1J8w5sR6/dYVBaFIGG0iWLWKy79/OPWjtUkJi2qc5mmGd 8ne1NlvZ3gq21NGsgafJLkKIe4v7Qv6RJKzTkElMDYDFOJ5/nYMtsnsZlLP9oVxX tmCXFln5tDZS6Ai0+SAQShusGGFlfi2/0aMwQo1JtqbXtKNlFYa/KgIqIBpidmy5 ++ZwM60Md1041eV7lrSRc1wAP5BkvyiJ0BwZQLRAQE841Wx3D4LalSFUd1XnJNet 7ooV/U9E7fzmqv/vuv5qu+N5HmoaT4UDqU65Zi4aXsE50/XYJvUv5BmqhVvF5Z4g ubnhUekqFts= =vOXB -----END PGP SIGNATURE-----