Bug 270037 - www/apache24: Security Update to 2.4.56
Summary: www/apache24: Security Update to 2.4.56
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Jochen Neumeister
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2023-03-08 13:43 UTC by Fabian Wenk
Modified: 2023-03-15 00:20 UTC (History)
9 users (show)

See Also:
i.dani: maintainer-feedback? (ports-secteam)


Attachments
Patch file for 2.4.56 (632 bytes, patch)
2023-03-09 15:32 UTC, vincent.jancso
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Wenk 2023-03-08 13:43:55 UTC
Posting in oss-security mailing list:

CVE-2023-25690: Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy
https://www.openwall.com/lists/oss-security/2023/03/07/1

CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting
https://www.openwall.com/lists/oss-security/2023/03/07/2

And Apache httpd ChangeLog for 2.4.56:
https://downloads.apache.org/httpd/CHANGES_2.4.56
Comment 1 vincent.jancso 2023-03-09 15:32:49 UTC
Created attachment 240705 [details]
Patch file for 2.4.56

Patch file for 2.4.56
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-03-12 16:41:23 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8ec7b3510f11d22eedea008ad340daf96057207f

commit 8ec7b3510f11d22eedea008ad340daf96057207f
Author:     Vincent Jancso <vincent.jancso@outlook.com>
AuthorDate: 2023-03-12 16:37:16 +0000
Commit:     Jochen Neumeister <joneum@FreeBSD.org>
CommitDate: 2023-03-12 16:39:56 +0000

    www/apache24: Update to 2.4.56

    Changes with Apache 2.4.56

      *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
         HTTP response splitting (cve.mitre.org)
         HTTP Response Smuggling vulnerability in Apache HTTP Server via
         mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
         2.4.30 through 2.4.55.
         Special characters in the origin response header can
         truncate/split the response forwarded to the client.
         Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

      *) SECURITY: CVE-2023-25690: HTTP request splitting with
         mod_rewrite and mod_proxy (cve.mitre.org)
         Some mod_proxy configurations on Apache HTTP Server versions
         2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
         Configurations are affected when mod_proxy is enabled along with
         some form of RewriteRule
         or ProxyPassMatch in which a non-specific pattern matches
         some portion of the user-supplied request-target (URL) data and
         is then
         re-inserted into the proxied request-target using variable
         substitution. For example, something like:
         RewriteEngine on
         RewriteRule "^/here/(.*)" "
         http://example.com:8080/elsewhere?$1"
         http://example.com:8080/elsewhere ; [P]
         ProxyPassReverse /here/  http://example.com:8080/
         http://example.com:8080/
         Request splitting/smuggling could result in bypass of access
         controls in the proxy server, proxying unintended URLs to
         existing origin servers, and cache poisoning.
         Credits: Lars Krapf of Adobe

      *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
         truncated without the initial logfile being truncated.  [Eric Covener]

      *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
         allow connections of any age to be reused. Up to now, a negative value
         was handled as an error when parsing the configuration file.  PR 66421.
         [nailyk <bzapache nailyk.fr>, Christophe Jaillet]

      *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
         of headers. [Ruediger Pluem]

      *) mod_md:
         - Enabling ED25519 support and certificate transparency information when
           building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
         - MDChallengeDns01 can now be configured for individual domains.
           Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
         - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
           teardown not being invoked as it should.
         [Stefan Eissing]

      *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
         reported in access logs and error documents. The processing of the
         reset was correct, only unneccesary reporting was caused.
         [Stefan Eissing]

      *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
         [Yann Ylavic]

    PR:     270037
    Reported by:    Fabian Wenk <fabian@wenks.ch>
    Sponsored by:   Netzkommune GmbH

 www/apache24/Makefile | 2 +-
 www/apache24/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 3 Alex 2023-03-12 17:19:06 UTC
any chance to push this to the quarterly branch as well considering the security fixes? 

Thanks very much!
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-03-13 17:30:26 UTC
A commit in branch 2023Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=97fb270dfd31ed025eb29b244ba662cf1d371e4c

commit 97fb270dfd31ed025eb29b244ba662cf1d371e4c
Author:     Vincent Jancso <vincent.jancso@outlook.com>
AuthorDate: 2023-03-12 16:37:16 +0000
Commit:     Jochen Neumeister <joneum@FreeBSD.org>
CommitDate: 2023-03-13 17:29:41 +0000

    www/apache24: Update to 2.4.56

    Changes with Apache 2.4.56

      *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
         HTTP response splitting (cve.mitre.org)
         HTTP Response Smuggling vulnerability in Apache HTTP Server via
         mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
         2.4.30 through 2.4.55.
         Special characters in the origin response header can
         truncate/split the response forwarded to the client.
         Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

      *) SECURITY: CVE-2023-25690: HTTP request splitting with
         mod_rewrite and mod_proxy (cve.mitre.org)
         Some mod_proxy configurations on Apache HTTP Server versions
         2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
         Configurations are affected when mod_proxy is enabled along with
         some form of RewriteRule
         or ProxyPassMatch in which a non-specific pattern matches
         some portion of the user-supplied request-target (URL) data and
         is then
         re-inserted into the proxied request-target using variable
         substitution. For example, something like:
         RewriteEngine on
         RewriteRule "^/here/(.*)" "
         http://example.com:8080/elsewhere?$1"
         http://example.com:8080/elsewhere ; [P]
         ProxyPassReverse /here/  http://example.com:8080/
         http://example.com:8080/
         Request splitting/smuggling could result in bypass of access
         controls in the proxy server, proxying unintended URLs to
         existing origin servers, and cache poisoning.
         Credits: Lars Krapf of Adobe

      *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
         truncated without the initial logfile being truncated.  [Eric Covener]

      *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
         allow connections of any age to be reused. Up to now, a negative value
         was handled as an error when parsing the configuration file.  PR 66421.
         [nailyk <bzapache nailyk.fr>, Christophe Jaillet]

      *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
         of headers. [Ruediger Pluem]

      *) mod_md:
         - Enabling ED25519 support and certificate transparency information when
           building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
         - MDChallengeDns01 can now be configured for individual domains.
           Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
         - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
           teardown not being invoked as it should.
         [Stefan Eissing]

      *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
         reported in access logs and error documents. The processing of the
         reset was correct, only unneccesary reporting was caused.
         [Stefan Eissing]

      *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
         [Yann Ylavic]

    PR:     270037
    Reported by:    Fabian Wenk <fabian@wenks.ch>
    Sponsored by:   Netzkommune GmbH

    (cherry picked from commit 8ec7b3510f11d22eedea008ad340daf96057207f)

 www/apache24/Makefile | 2 +-
 www/apache24/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)