Debian 10260 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1128-1 axis security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1129-1 apache2 security update

Debian GNU/Linux 11 (Bullseye) and 12 (Bookworm):
[DSA 5729-1] apache2 security update



ELA-1128-1 axis security update

Package : axis
Version : 1.4-21+deb8u1 (jessie)

Related CVEs :
CVE-2018-8032
CVE-2023-40743

Two vulnerabilities were discovered in Apache Axis, an XML-based web service
framework for Java.

CVE-2018-8032: Fix a cross-site scripting (XSS) attack in the default
servlet/services. (#905328)

CVE-2023-40743: Fix an issue in ServiceFactory.getService that allowed
potentially dangerous lookup mechanisms. When passing untrusted input to this
API method, this could have exposed the application to DoS, SSRF and even
attacks leading to remote code execution. (#1051288)

ELA-1128-1 axis security update


[DSA 5729-1] apache2 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5729-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 11, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : apache2
CVE ID : CVE-2024-36387 CVE-2024-38473 CVE-2024-38474 CVE-2024-38475
CVE-2024-38476 CVE-2024-38477 CVE-2024-39573

Multiple vulnerabilities have been discovered in the Apache HTTP server,
which may result in authentication bypass, execution of scripts in
directories not directly reachable by any URL, server-side request
forgery or denial of service.

For the oldstable distribution (bullseye), these problems have been fixed
in version 2.4.61-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in
version 2.4.61-1~deb12u1.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1129-1 apache2 security update

Package : apache2
Version : 2.4.25-3+deb9u17 (stretch)

Related CVEs :
CVE-2020-9490
CVE-2020-11993
CVE-2021-33193
CVE-2023-45802
CVE-2024-27316

Multiple vulnerabilities were fixed in the HTTP2 module of apache2.

CVE-2020-9490
A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would resulted in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards.

CVE-2020-11993
When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.

CVE-2021-33193
A crafted method sent through HTTP/2 bypassed validation and were forwarded by mod_proxy, which could lead to request splitting or cache poisoning.

CVE-2023-45802
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.

CVE-2024-27316
HTTP/2 incoming headers exceeding the limit were temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client did not stop sending headers, this led to memory exhaustion.

ELA-1129-1 apache2 security update