Apache2 Vulnerability

Daniel Johnston danielj at premiercu.org
Thu Sep 7 17:25:27 UTC 2023 

Hello,

I was wondering on when you plan to upgrade Apache from 2.4.55 to at least 2.4.56 to address the vulnerabilities with Apache?
We have been checking weekly for a number of months now.
Changes with Apache 2.4.56

  *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
     HTTP response splitting (cve.mitre.org)
     HTTP Response Smuggling vulnerability in Apache HTTP Server via
     mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
     2.4.30 through 2.4.55.
     Special characters in the origin response header can
     truncate/split the response forwarded to the client.
     Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

  *) SECURITY: CVE-2023-25690: HTTP request splitting with
     mod_rewrite and mod_proxy (cve.mitre.org)
     Some mod_proxy configurations on Apache HTTP Server versions
     2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
     Configurations are affected when mod_proxy is enabled along with
     some form of RewriteRule or ProxyPassMatch in which a non-specific
     pattern matches some portion of the user-supplied request-target (URL)
     data and is then re-inserted into the proxied request-target
     using variable substitution. For example, something like:
        RewriteEngine on
        RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
        ProxyPassReverse /here/  http://example.com:8080/
     Request splitting/smuggling could result in bypass of access
     controls in the proxy server, proxying unintended URLs to
     existing origin servers, and cache poisoning.
     Credits: Lars Krapf of Adobe

[cid:image001.jpg at 01D9E186.60BF0920]
Daniel Johnston​​​​
IT Systems Administrator
 |
Premier Credit Union
[cid:image002.png at 01D9E186.60BF0920]
515-245-3541<tel:515-245-3541>
 |
[cid:image003.png at 01D9E186.60BF0920]
danielj at premiercu.org<mailto:danielj at premiercu.org>
[cid:image004.png at 01D9E186.60BF0920]
www.PremierCU.org<https://www.premiercu.org/>
[cid:image005.png at 01D9E186.60BF0920]<https://www.facebook.com/PremierCreditUnion/>
[cid:image006.png at 01D9E186.60BF0920]<https://twitter.com/premiercu>
[cid:image007.png at 01D9E186.60BF0920]
800 9th St
,
Des Moines
,
Iowa

50309
Leave us a Review on Google!<https://www.google.com/search?q=premier%20credit%20union%20iowa&oq=pre&aqs=edge.1.69i60j69i59j69i57j69i65l3j69i64j69i60.1812j0j1&sourceid=chrome&ie=UTF-8&tbs=lrf:!1m4!1u3!2m2!3m1!1e1!2m1!1e3!3sIAE,lf:1,lf_ui:4&tbm=lcl&sxsrf=AJOqlzXrvCL3bZvWYPIkdsyB1EaIVMvANA:1674676176884&rflfq=1&num=10&rldimm=3124682254401017333&lqi=ChlwcmVtaWVyIGNyZWRpdCB1bmlvbiBpb3dhIgOIAQFIjvPOuqaugIAIWjMQABABEAIYABgBGAIYAyIZcHJlbWllciBjcmVkaXQgdW5pb24gaW93YSoICAIQABABEAKSARVmaW5hbmNpYWxfaW5zdGl0dXRpb26aASNDaFpEU1VoTk1HOW5TMFZKUTBGblNVTnRlbVpUWjFsUkVBRaoBPRABGh8QASIbRcUtPvG9ipyn7BPbtEp9sUYAsaNggU881hGLKhgiFHByZW1pZXIgY3JlZGl0IHVuaW9uKADgAQA&ved=2ahUKEwiD-Iv1vuP8AhXRlIkEHUE1AMUQvS56BAgUEAE&sa=X&rlst=f&safe=active&ssui=on#rlfi=hd:;si:3124682254401017333,l,ChlwcmVtaWVyIGNyZWRpdCB1bmlvbiBpb3dhIgOIAQFIjvPOuqaugIAIWjMQABABEAIYABgBGAIYAyIZcHJlbWllciBjcmVkaXQgdW5pb24gaW93YSoICAIQABABEAKSARVmaW5hbmNpYWxfaW5zdGl0dXRpb26aASNDaFpEU1VoTk1HOW5TMFZKUTBGblNVTnRlbVpUWjFsUkVBRaoBPRABGh8QASIbRcUtPvG9ipyn7BPbtEp9sUYAsaNggU881hGLKhgiFHByZW1pZXIgY3JlZGl0IHVuaW9uKADgAQA;mv:[[42.0533971,-93.61367969999999],[41.553990399999996,-93.7275892]];tbs:lrf:!1m4!1u3!2m2!3m1!1e1!2m1!1e3!3sIAE,lf:1,lf_ui:4>
[cid:image008.jpg at 01D9E186.60BF0920]<https://premiercu.org/high-yield-checking/>
This e-mail, including attachments, is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential, and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender if you received this message in error, and then please delete it. Thank you.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20230907/c75d4293/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 13513 bytes
Desc: image001.jpg
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20230907/c75d4293/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 575 bytes
Desc: image002.png
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20230907/c75d4293/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 484 bytes
Desc: image003.png
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20230907/c75d4293/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 771 bytes
Desc: image004.png
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20230907/c75d4293/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 641 bytes
Desc: image005.png
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20230907/c75d4293/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 675 bytes
Desc: image006.png
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20230907/c75d4293/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 610 bytes
Desc: image007.png
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20230907/c75d4293/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.jpg
Type: image/jpeg
Size: 23749 bytes
Desc: image008.jpg
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20230907/c75d4293/attachment-0003.jpg>

More information about the Ubuntu-devel-discuss mailing list