An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2023-1161
Final
1.0
1.0
2023-03-17
Initial
2023-03-17
2023-03-17
openEuler SA Tool V1.0
2023-03-17
httpd security update
An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1.
Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.
Security Fix(es):
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.(CVE-2023-27522)
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.(CVE-2023-25690)
An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
httpd
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1161
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27522
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-25690
https://nvd.nist.gov/vuln/detail/CVE-2023-27522
https://nvd.nist.gov/vuln/detail/CVE-2023-25690
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
openEuler-22.03-LTS-SP1
mod_md-2.4.43-21.oe1.aarch64.rpm
httpd-devel-2.4.43-21.oe1.aarch64.rpm
mod_session-2.4.43-21.oe1.aarch64.rpm
mod_ssl-2.4.43-21.oe1.aarch64.rpm
httpd-tools-2.4.43-21.oe1.aarch64.rpm
httpd-debugsource-2.4.43-21.oe1.aarch64.rpm
mod_ldap-2.4.43-21.oe1.aarch64.rpm
httpd-2.4.43-21.oe1.aarch64.rpm
mod_proxy_html-2.4.43-21.oe1.aarch64.rpm
httpd-debuginfo-2.4.43-21.oe1.aarch64.rpm
mod_md-2.4.43-21.oe1.aarch64.rpm
httpd-2.4.43-21.oe1.aarch64.rpm
httpd-devel-2.4.43-21.oe1.aarch64.rpm
httpd-tools-2.4.43-21.oe1.aarch64.rpm
mod_ldap-2.4.43-21.oe1.aarch64.rpm
httpd-debugsource-2.4.43-21.oe1.aarch64.rpm
mod_proxy_html-2.4.43-21.oe1.aarch64.rpm
mod_session-2.4.43-21.oe1.aarch64.rpm
httpd-debuginfo-2.4.43-21.oe1.aarch64.rpm
mod_ssl-2.4.43-21.oe1.aarch64.rpm
httpd-debuginfo-2.4.51-15.oe2203.aarch64.rpm
httpd-tools-2.4.51-15.oe2203.aarch64.rpm
httpd-debugsource-2.4.51-15.oe2203.aarch64.rpm
mod_ssl-2.4.51-15.oe2203.aarch64.rpm
mod_proxy_html-2.4.51-15.oe2203.aarch64.rpm
mod_ldap-2.4.51-15.oe2203.aarch64.rpm
mod_md-2.4.51-15.oe2203.aarch64.rpm
httpd-2.4.51-15.oe2203.aarch64.rpm
httpd-devel-2.4.51-15.oe2203.aarch64.rpm
mod_session-2.4.51-15.oe2203.aarch64.rpm
mod_proxy_html-2.4.51-15.oe2203sp1.aarch64.rpm
mod_md-2.4.51-15.oe2203sp1.aarch64.rpm
mod_ssl-2.4.51-15.oe2203sp1.aarch64.rpm
httpd-devel-2.4.51-15.oe2203sp1.aarch64.rpm
httpd-debuginfo-2.4.51-15.oe2203sp1.aarch64.rpm
mod_session-2.4.51-15.oe2203sp1.aarch64.rpm
httpd-debugsource-2.4.51-15.oe2203sp1.aarch64.rpm
mod_ldap-2.4.51-15.oe2203sp1.aarch64.rpm
httpd-tools-2.4.51-15.oe2203sp1.aarch64.rpm
httpd-2.4.51-15.oe2203sp1.aarch64.rpm
httpd-filesystem-2.4.43-21.oe1.noarch.rpm
httpd-help-2.4.43-21.oe1.noarch.rpm
httpd-help-2.4.43-21.oe1.noarch.rpm
httpd-filesystem-2.4.43-21.oe1.noarch.rpm
httpd-help-2.4.51-15.oe2203.noarch.rpm
httpd-filesystem-2.4.51-15.oe2203.noarch.rpm
httpd-filesystem-2.4.51-15.oe2203sp1.noarch.rpm
httpd-help-2.4.51-15.oe2203sp1.noarch.rpm
httpd-2.4.43-21.oe1.src.rpm
httpd-2.4.43-21.oe1.src.rpm
httpd-2.4.51-15.oe2203.src.rpm
httpd-2.4.51-15.oe2203sp1.src.rpm
httpd-debuginfo-2.4.43-21.oe1.x86_64.rpm
httpd-tools-2.4.43-21.oe1.x86_64.rpm
httpd-devel-2.4.43-21.oe1.x86_64.rpm
mod_ssl-2.4.43-21.oe1.x86_64.rpm
mod_proxy_html-2.4.43-21.oe1.x86_64.rpm
mod_session-2.4.43-21.oe1.x86_64.rpm
mod_ldap-2.4.43-21.oe1.x86_64.rpm
httpd-2.4.43-21.oe1.x86_64.rpm
httpd-debugsource-2.4.43-21.oe1.x86_64.rpm
mod_md-2.4.43-21.oe1.x86_64.rpm
mod_proxy_html-2.4.43-21.oe1.x86_64.rpm
httpd-2.4.43-21.oe1.x86_64.rpm
httpd-tools-2.4.43-21.oe1.x86_64.rpm
httpd-debugsource-2.4.43-21.oe1.x86_64.rpm
mod_ldap-2.4.43-21.oe1.x86_64.rpm
mod_session-2.4.43-21.oe1.x86_64.rpm
httpd-debuginfo-2.4.43-21.oe1.x86_64.rpm
mod_md-2.4.43-21.oe1.x86_64.rpm
mod_ssl-2.4.43-21.oe1.x86_64.rpm
httpd-devel-2.4.43-21.oe1.x86_64.rpm
mod_proxy_html-2.4.51-15.oe2203.x86_64.rpm
httpd-devel-2.4.51-15.oe2203.x86_64.rpm
httpd-2.4.51-15.oe2203.x86_64.rpm
httpd-debuginfo-2.4.51-15.oe2203.x86_64.rpm
mod_ssl-2.4.51-15.oe2203.x86_64.rpm
mod_session-2.4.51-15.oe2203.x86_64.rpm
mod_md-2.4.51-15.oe2203.x86_64.rpm
mod_ldap-2.4.51-15.oe2203.x86_64.rpm
httpd-tools-2.4.51-15.oe2203.x86_64.rpm
httpd-debugsource-2.4.51-15.oe2203.x86_64.rpm
mod_md-2.4.51-15.oe2203sp1.x86_64.rpm
httpd-devel-2.4.51-15.oe2203sp1.x86_64.rpm
mod_session-2.4.51-15.oe2203sp1.x86_64.rpm
httpd-2.4.51-15.oe2203sp1.x86_64.rpm
httpd-debuginfo-2.4.51-15.oe2203sp1.x86_64.rpm
httpd-debugsource-2.4.51-15.oe2203sp1.x86_64.rpm
mod_ldap-2.4.51-15.oe2203sp1.x86_64.rpm
mod_proxy_html-2.4.51-15.oe2203sp1.x86_64.rpm
mod_ssl-2.4.51-15.oe2203sp1.x86_64.rpm
httpd-tools-2.4.51-15.oe2203sp1.x86_64.rpm
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.
2023-03-17
CVE-2023-27522
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
openEuler-22.03-LTS-SP1
Medium
5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
httpd security update
2023-03-17
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1161
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule ^/here/(.*) http://example.com:8080/elsewhere?$1 ; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
2023-03-17
CVE-2023-25690
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
openEuler-22.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
httpd security update
2023-03-17
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1161