<div dir="ltr">Hi Daniel,<br><br>The two CVEs you mention, CVE-2023-27522 and CVE-2023-25690, have already been<br>addressed in Ubuntu, and have been since March.<br><br><a href="https://ubuntu.com/security/CVE-2023-27522">https://ubuntu.com/security/CVE-2023-27522</a><br><a href="https://ubuntu.com/security/CVE-2023-25690">https://ubuntu.com/security/CVE-2023-25690</a><br><br>For 22.04, these were both fixed in apache2 2.4.52-1ubuntu4.4:<br><br><a href="https://bugs.launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.4">https://bugs.launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.4</a><br><br>For 20.04, these were both fixed in apache2 2.4.41-4ubuntu3.14:<br><br><a href="https://bugs.launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.14">https://bugs.launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.14</a><br><br>Packages in the Ubuntu archive don't typically receive wholesale point releases<br>unless that package has a microrelease exception. This is intended to keep<br>regressions and changes in functionality to a minimum. Instead, we simply take<br>the CVE fix itself, and place it ontop of the version in the Ubuntu archive,<br>and make a new build. The CVE is fixed without having to take sometimes<br>hundreds of additional changes at the same time.<br><br>See:<br><br><a href="https://wiki.ubuntu.com/SecurityTeam/FAQ">https://wiki.ubuntu.com/SecurityTeam/FAQ</a><br><a href="https://wiki.ubuntu.com/StableReleaseUpdates#Why">https://wiki.ubuntu.com/StableReleaseUpdates#Why</a><br><br>In the future, see the Ubuntu CVE tracker to see if a particular CVE has been<br>fixed.<br><br>Thanks,<br>Matthew</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 15 Sept 2023 at 11:00, Daniel Johnston <<a href="mailto:danielj@premiercu.org">danielj@premiercu.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg6910125801822712965">





<div lang="EN-US" style="overflow-wrap: break-word;">
<div class="m_6910125801822712965WordSection1">
<p class="MsoNormal">Hello,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I was wondering on when you plan to upgrade Apache from 2.4.55 to at least 2.4.56 to address the vulnerabilities with Apache?<u></u><u></u></p>
<p class="MsoNormal">We have been checking weekly for a number of months now.<u></u><u></u></p>
<p class="MsoNormal">Changes with Apache 2.4.56<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">  *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi<u></u><u></u></p>
<p class="MsoNormal">     HTTP response splitting (<a href="http://cve.mitre.org" target="_blank">cve.mitre.org</a>)<u></u><u></u></p>
<p class="MsoNormal">     HTTP Response Smuggling vulnerability in Apache HTTP Server via<u></u><u></u></p>
<p class="MsoNormal">     mod_proxy_uwsgi. This issue affects Apache HTTP Server: from<u></u><u></u></p>
<p class="MsoNormal">     2.4.30 through 2.4.55.<u></u><u></u></p>
<p class="MsoNormal">     Special characters in the origin response header can<u></u><u></u></p>
<p class="MsoNormal">     truncate/split the response forwarded to the client.<u></u><u></u></p>
<p class="MsoNormal">     Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">  *) SECURITY: CVE-2023-25690: HTTP request splitting with<u></u><u></u></p>
<p class="MsoNormal">     mod_rewrite and mod_proxy (<a href="http://cve.mitre.org" target="_blank">cve.mitre.org</a>)<u></u><u></u></p>
<p class="MsoNormal">     Some mod_proxy configurations on Apache HTTP Server versions<u></u><u></u></p>
<p class="MsoNormal">     2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.<u></u><u></u></p>
<p class="MsoNormal">     Configurations are affected when mod_proxy is enabled along with<u></u><u></u></p>
<p class="MsoNormal">     some form of RewriteRule or ProxyPassMatch in which a non-specific<u></u><u></u></p>
<p class="MsoNormal">     pattern matches some portion of the user-supplied request-target (URL)<u></u><u></u></p>
<p class="MsoNormal">     data and is then re-inserted into the proxied request-target<u></u><u></u></p>
<p class="MsoNormal">     using variable substitution. For example, something like:<u></u><u></u></p>
<p class="MsoNormal">        RewriteEngine on<u></u><u></u></p>
<p class="MsoNormal">        RewriteRule "^/here/(.*)" "<a href="http://example.com:8080/elsewhere?$1" target="_blank">http://example.com:8080/elsewhere?$1</a>"; [P]<u></u><u></u></p>
<p class="MsoNormal">        ProxyPassReverse /here/  <a href="http://example.com:8080/" target="_blank">http://example.com:8080/</a><u></u><u></u></p>
<p class="MsoNormal">     Request splitting/smuggling could result in bypass of access<u></u><u></u></p>
<p class="MsoNormal">     controls in the proxy server, proxying unintended URLs to<u></u><u></u></p>
<p class="MsoNormal">     existing origin servers, and cache poisoning.<u></u><u></u></p>
<p class="MsoNormal">     Credits: Lars Krapf of Adobe<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100%">
<tbody>
<tr>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td style="border-width:medium 1.5pt medium medium;border-style:none solid none none;border-color:currentcolor rgb(1,90,156) currentcolor currentcolor;padding:0in 7.5pt 0in 0in">
<p class="MsoNormal"><span style="font-size:1pt"><img width="80" height="80" style="width: 0.8333in; height: 0.8333in;" id="m_6910125801822712965Picture_x0020_1" src="cid:image001.jpg@01D9E186.60BF0920"><u></u><u></u></span></p>
</td>
<td style="padding:7.5pt 0in 7.5pt 7.5pt">
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100%">
<tbody>
<tr>
<td style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100%">
<tbody>
<tr>
<td style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100%">
<tbody>
<tr>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 1.5pt">
<p class="MsoNormal"><b><span style="font-size:15pt;color:rgb(0,91,159)">Daniel Johnston</span></b><b><span style="font-size:1pt;font-family:remialcxesans;color:white">​</span></b><b><span style="font-size:1pt;font-family:template-fn9f9wmsEeyYHwANOhMHOw;color:white">​</span></b><b><span style="font-size:1pt;font-family:zone-1;color:white">​</span></b><b><span style="font-size:1pt;font-family:zones-AQ;color:white">​</span></b><b><span style="font-size:15pt;color:rgb(0,91,159)"><u></u><u></u></span></b></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><b><span style="color:rgb(0,91,159)">IT Systems Administrator<u></u><u></u></span></b></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)"> | <u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><b><i><span style="color:rgb(0,91,159)">Premier Credit Union<u></u><u></u></span></i></b></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100%">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 3.75pt">
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100%">
<tbody>
<tr>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:2.25pt 0in 0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="font-size:1pt;color:rgb(0,91,159)"><img width="20" height="20" style="width: 0.2083in; height: 0.2083in;" id="m_6910125801822712965Picture_x0020_2" src="cid:image002.png@01D9E186.60BF0920"><u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)"><a href="tel:515-245-3541" target="_blank"><span style="color:rgb(0,91,159);text-decoration:none">515-245-3541</span></a><u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)"> | <u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="font-size:1pt;color:rgb(0,91,159)"><img border="0" width="20" height="20" style="width: 0.2083in; height: 0.2083in;" id="m_6910125801822712965Picture_x0020_3" src="cid:image003.png@01D9E186.60BF0920"><u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)"><a href="mailto:danielj@premiercu.org" target="_blank"><span style="color:rgb(0,91,159);text-decoration:none">danielj@premiercu.org</span></a><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 2.25pt">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="font-size:1pt"><img border="0" width="20" height="20" style="width: 0.2083in; height: 0.2083in;" id="m_6910125801822712965Picture_x0020_4" src="cid:image004.png@01D9E186.60BF0920"><u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 3.75pt 0in 0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)"><a href="https://www.premiercu.org/" title="PremierCU.org" target="_blank"><span style="color:rgb(0,91,159);text-decoration:none">www.PremierCU.org</span></a><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</td>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 2.25pt 2.25pt 3.75pt">
<p class="MsoNormal"><a href="https://www.facebook.com/PremierCreditUnion/" target="_blank"><span style="font-size:1pt;color:blue;text-decoration:none"><img border="0" width="20" height="20" style="width: 0.2083in; height: 0.2083in;" id="m_6910125801822712965Picture_x0020_5" src="cid:image005.png@01D9E186.60BF0920"></span></a><span style="font-size:1pt"><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</td>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 2.25pt 2.25pt">
<p class="MsoNormal"><a href="https://twitter.com/premiercu" target="_blank"><span style="font-size:1pt;color:blue;text-decoration:none"><img border="0" width="20" height="20" style="width: 0.2083in; height: 0.2083in;" id="m_6910125801822712965Picture_x0020_6" src="cid:image006.png@01D9E186.60BF0920"></span></a><span style="font-size:1pt"><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 2.25pt">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="font-size:1pt"><img border="0" width="20" height="20" style="width: 0.2083in; height: 0.2083in;" id="m_6910125801822712965Picture_x0020_7" src="cid:image007.png@01D9E186.60BF0920"><u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)">800 9th St<u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)">, <u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)">Des Moines<u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)">, <u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)">Iowa<u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)"> <u></u><u></u></span></p>
</td>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><span style="color:rgb(0,91,159)">50309<u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><b><i><span style="color:rgb(29,161,242)"><a href="https://www.google.com/search?q=premier%20credit%20union%20iowa&oq=pre&aqs=edge.1.69i60j69i59j69i57j69i65l3j69i64j69i60.1812j0j1&sourceid=chrome&ie=UTF-8&tbs=lrf:!1m4!1u3!2m2!3m1!1e1!2m1!1e3!3sIAE,lf:1,lf_ui:4&tbm=lcl&sxsrf=AJOqlzXrvCL3bZvWYPIkdsyB1EaIVMvANA:1674676176884&rflfq=1&num=10&rldimm=3124682254401017333&lqi=ChlwcmVtaWVyIGNyZWRpdCB1bmlvbiBpb3dhIgOIAQFIjvPOuqaugIAIWjMQABABEAIYABgBGAIYAyIZcHJlbWllciBjcmVkaXQgdW5pb24gaW93YSoICAIQABABEAKSARVmaW5hbmNpYWxfaW5zdGl0dXRpb26aASNDaFpEU1VoTk1HOW5TMFZKUTBGblNVTnRlbVpUWjFsUkVBRaoBPRABGh8QASIbRcUtPvG9ipyn7BPbtEp9sUYAsaNggU881hGLKhgiFHByZW1pZXIgY3JlZGl0IHVuaW9uKADgAQA&ved=2ahUKEwiD-Iv1vuP8AhXRlIkEHUE1AMUQvS56BAgUEAE&sa=X&rlst=f&safe=active&ssui=on#rlfi=hd:;si:3124682254401017333,l,ChlwcmVtaWVyIGNyZWRpdCB1bmlvbiBpb3dhIgOIAQFIjvPOuqaugIAIWjMQABABEAIYABgBGAIYAyIZcHJlbWllciBjcmVkaXQgdW5pb24gaW93YSoICAIQABABEAKSARVmaW5hbmNpYWxfaW5zdGl0dXRpb26aASNDaFpEU1VoTk1HOW5TMFZKUTBGblNVTnRlbVpUWjFsUkVBRaoBPRABGh8QASIbRcUtPvG9ipyn7BPbtEp9sUYAsaNggU881hGLKhgiFHByZW1pZXIgY3JlZGl0IHVuaW9uKADgAQA;mv:[[42.0533971,-93.61367969999999],[41.553990399999996,-93.7275892]];tbs:lrf:!1m4!1u3!2m2!3m1!1e1!2m1!1e3!3sIAE,lf:1,lf_ui:4" target="_blank"><span style="color:rgb(29,161,242);text-decoration:none">Leave us a Review on Google!</span></a><u></u><u></u></span></i></b></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in">
<p class="MsoNormal"><a href="https://premiercu.org/high-yield-checking/" target="_blank"><span style="font-size:1pt;color:blue;text-decoration:none"><img border="0" width="320" height="150" style="width: 3.3333in; height: 1.5625in;" id="m_6910125801822712965Picture_x0020_8" src="cid:image008.jpg@01D9E186.60BF0920"></span></a><span style="font-size:1pt"><u></u><u></u></span></p>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in">
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100%">
<tbody>
<tr>
<td valign="top" style="padding:6pt 0in 0in">
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100%">
<tbody>
<tr>
<td style="padding:0in">
<p class="MsoNormal" style="margin-bottom:12pt;text-align:justify"><b><i><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:rgb(1,90,156)">This e-mail, including attachments, is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521,
 is confidential, and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender if you received
 this message in error, and then please delete it. Thank you.</span></i></b><span style="color:gray"><br>
<br>
<u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>

-- <br>
Ubuntu-devel-discuss mailing list<br>
<a href="mailto:Ubuntu-devel-discuss@lists.ubuntu.com" target="_blank">Ubuntu-devel-discuss@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss</a><br>
</div></blockquote></div>