An apache2 security update has been released for Debian GNU/Linux 8 Extended LTS and 9 Extended LTS to address several security vulnerabilities.

ELA-632-1 apache2 security update

Package apache2
Version 2.4.10-10+deb8u23 (jessie), 2.4.25-3+deb9u14 (stretch)
Related CVEs CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 CVE-2022-31813

Several security vulnerabilities were found in the Apache HTTP server:

CVE-2022-26377

Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it forwards
requests to.

CVE-2022-28614

The ap_rwrite() function read unintended memory if an attacker can
cause the server to reflect very large input using ap_rwrite() or
ap_rputs(), such as with mod_luas r:puts() function. Modules
compiled and distributed separately from Apache HTTP Server that use
the 'ap_rputs' function and may pass it a very large (INT_MAX or
larger) string must be compiled against current headers to resolve
the issue.

CVE-2022-28615

Apache HTTP Server may crash or disclose information due to a read
beyond bounds in ap_strcmp_match() when provided with an extremely
large input buffer.

CVE-2022-29404

In Apache HTTP Server, a malicious request to a lua script that
calls r:parsebody(0) may cause a denial of service due to no default
limit on possible input size.

CVE-2022-30522

If Apache HTTP Server is configured to do transformations with
mod_sed in contexts where the input to mod_sed may be very large,
mod_sed may make excessively large memory allocations and trigger an
abort.

CVE-2022-30556

Apache HTTP Server may return lengths to applications calling
r:wsread() that point past the end of the storage allocated for the
buffer.

CVE-2022-31813

Apache HTTP Server may not send the X-Forwarded-* headers to the
origin server based on client side Connection header hop-by-hop
mechanism. This may be used to bypass IP based authentication on the
origin server/application.

For Debian 8 jessie, these problems have been fixed in version 2.4.10-10+deb8u23.

For Debian 9 stretch, these problems have been fixed in version 2.4.25-3+deb9u14.

We recommend that you upgrade your apache2 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-632-1 apache2 security update