Operating System:

[Debian]

Published:

06 March 2023

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2023.1380 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.1380
                          apache2 security update
                               6 March 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           apache2
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-37436 CVE-2022-36760 CVE-2021-33193
                   CVE-2006-20001  

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/03/msg00002.html

Comment: CVSS (Max):  9.0 CVE-2022-36760 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3351-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Lee Garrett
March 03, 2023                                https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : apache2
Version        : 2.4.38-3+deb10u9
CVE ID         : CVE-2006-20001 CVE-2021-33193 CVE-2022-36760
                 CVE-2022-37436

Multiple security vulnerabilities have been discovered in Apache HTTP
server.

CVE-2006-20001

A carefully crafted If: request header can cause a memory read, or write
of a single zero byte, in a pool (heap) memory location beyond the header
value sent. This could cause the process to crash.

CVE-2021-33193

A crafted method sent through HTTP/2 will bypass validation and be
forwarded by mod_proxy, which can lead to request splitting or cache
poisoning.

CVE-2022-36760

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to
smuggle requests to the AJP server it forwards requests to.

CVE-2022-37436

A malicious backend can cause the response headers to be truncated early,
resulting in some headers being incorporated into the response body. If
the later headers have any security purpose, they will not be interpreted
by the client.

For Debian 10 buster, these problems have been fixed in version
2.4.38-3+deb10u9.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmQCIC8ACgkQ1gShxII+
4Ph6QB/+NNlPFlLfqaYTQVZrgDD1znnhV22n05/pFKaPP2ASH+J6pwd4aAiD2/FI
dkLwYNLTTY36SV8/k6gR8mSqZKDizmbQ2Y2l/MBC0nu0muZlgefzVPOOcC1Zj7DP
L4PcIoAtIWK5rHoLbB2aDTVT65DjaeoeFQHjsPPNoWJL5xUzifHOOCqWeqC+Cq1c
hl+Y29Sa2mCXI9yn9ZsrZm8UL5dT7y17IazDKNEaFAQGERyuqpWyudqCMW6i0JyV
dham2U/kAsy5Mi9BbEZixkGB0QVU/Tr2d6M+/FZrD5LEFm1zLPSOVJ0r4IZwhv58
54UN0Vph42ry+2nMlXtKkz8lVp1if2tfp70fXCEsZLttLpjtYZv9K89F2luJtWUn
LhIFzOKMJOAWjOUSMRO0akt8Vwwm1BKlX/GSgjje2XaAYbGNweWxgbWKkLMlcsce
lwqOoft8r+nqa0JF4Lg29tjyhKjliSh9gqMq5YRTGrBbRQnGoNXphmphxUBCoDkY
q6K8rr2/Rq9ObpxbR+rDT6HovRGS4zGystPTWs/sVLXv+xQO7cfQ9UMaw7yjM8Mb
X3iXS4KdRvYAWPU+f5/xnCuLvaFcPYc8VFF3m9n0AWCGQw6+/75QT0KFLPhZjIiv
ZiA0bt9qFcs9I3e7epb//wm0h8ZV+abls41zGt2ot6xac5Asuk9YcLEvmR3KdsS9
Goga6TfkDdvROxKbdWQxN2zG7R2FhnF5TiEfk0Nul3SjaI964k0/n/VIfgk/pw0J
SZIdWHVJ2ayiap+anJvxvJWkWOI2W+2K8gt9Ten9hIpaJ9nBTyPvGkDpTxOm8UB3
HJ0H64zLK4rFkVknSDhoSlHiw8HSaQgrPRKn+TJ5nqLpaEOAt9Tp5l3DdsUuO0xq
cNgnr0Me8QmaAQOUm/GONZDoomaPR8+FNINTRAFbOAn3sA0bVcGX0nV7v8+Yz8UP
o6W5/LoK3tGzEvBhimbP8lAbuPt5372CMnpUAI3glNoEN0ITJHPtS/+NmkVX/h2T
Y2RHwD01erKWcqFdXGa7Fv6p5S9KuluP4fCjTSiWTWYgv+ztLxXxffrDhAM2hbeo
HnAtZhqyHfHaPccTN1WaYc472BSluLsYDoIOe5iYlM/+Bi7mxvCqhc60fNB+WIL5
RPVdjO7mfhlWZ5UAxqgAKEDcKsPY/zBTvoXiIhca9HKz/0LcC94X8q8Js77VH2Ph
EyUAyCV+tN+FOmSnz8fV9834PS3EBRYLH4rioRu+qt1vnZ/cTEUAYSKLZkfA87xo
7+vAevloVz+Ue7qjnBD+iLDR5L6EyM3SjQHbQ9llQ/Oz/b80GWI5NOoDyD0nFL/2
l+oQFtAhGViz3mQA7UFztsF1RzCLVA==
=L5AZ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZAVQgMkNZI30y1K9AQimDg//YvDQ75zg9uf66GydzWCSqT7yW6jGuH8d
573h+YiLz8QZnxT4Lnbg7v9ZCXBoRQjBAt4ueIUZs9hRK8ien4xG4beJScnYfnXB
lLYgY54DcHuxjKLJL06SfJACPQolWmgRUovsCItitS6FdSFgRphGLPN3uhE1xcVi
AcNxYF4mLxwpdArseszAAxRyjzRRWC4MxnN/mR4Iik1u7crlrF9ioGIJUL+exdiI
c9Gpj9TS7TszMJ44pVVOLGu6wl8Sv9EoYKHT1WW1k/JCA24Jjx++n3tLAsQICTN/
mNE1hST11hXavJHrTyHSMUwUaBf88/fv1M781Jt4ZTs5W471tQuNuXQp6GHVjzlQ
HcUhYpP4/HsG3ivB/tY1J8w5sR6/dYVBaFIGG0iWLWKy79/OPWjtUkJi2qc5mmGd
8ne1NlvZ3gq21NGsgafJLkKIe4v7Qv6RJKzTkElMDYDFOJ5/nYMtsnsZlLP9oVxX
tmCXFln5tDZS6Ai0+SAQShusGGFlfi2/0aMwQo1JtqbXtKNlFYa/KgIqIBpidmy5
++ZwM60Md1041eV7lrSRc1wAP5BkvyiJ0BwZQLRAQE841Wx3D4LalSFUd1XnJNet
7ooV/U9E7fzmqv/vuv5qu+N5HmoaT4UDqU65Zi4aXsE50/XYJvUv5BmqhVvF5Z4g
ubnhUekqFts=
=vOXB
-----END PGP SIGNATURE-----