Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:0970: Red Hat Security Advisory: httpd security and bug fix update

An update for httpd is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted “If:” request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service.
  • CVE-2022-36760: A flaw was found in the mod_proxy_ajp module of httpd. The connection is not closed when there is an invalid Transfer-Encoding header, allowing an attacker to smuggle requests to the AJP server, where it forwards requests.
  • CVE-2022-37436: A flaw was found in the mod_proxy module of httpd. A malicious backend can cause the response headers to be truncated because they are not cleaned when an error is found while reading them, resulting in some headers being incorporated into the response body and not being interpreted by a client.
Red Hat Security Data
#vulnerability#web#linux#red_hat#dos#apache#ldap#ibm#ssl

Synopsis

Moderate: httpd security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for httpd is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

  • httpd: mod_dav: out-of-bounds read/write of zero byte (CVE-2006-20001)
  • httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-36760)
  • httpd: mod_proxy: HTTP response splitting (CVE-2022-37436)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • httpd-init fails to create localhost.crt, localhost.key due to “sscg” default now creates a /dhparams.pem and is not idempotent if the file /dhparams.pem already exists. (BZ#2165975)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • Red Hat Enterprise Linux for x86_64 9 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux for ARM 64 9 aarch64

Fixes

  • BZ - 2161773 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting
  • BZ - 2161774 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write of zero byte
  • BZ - 2161777 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request smuggling

Red Hat Enterprise Linux for x86_64 9

SRPM

httpd-2.4.53-7.el9_1.1.src.rpm

SHA-256: 3852ca714e282f4c3ac2c553e610968ae570e312fa4932e0bf930e920e965e25

x86_64

httpd-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: ecc312bafcb157937e09f96bd9b59a1e4cd3289985652f8a50bd741a612f4086

httpd-core-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 751628fa9da691ec0df09c7a2bf4932ad8ea1ea7f03eeedb709e9e89187c888c

httpd-core-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: dc9ec4686a0d78ece353a96ba304e5648a264c5156325eec2a238a01a5c98fe1

httpd-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 112972042177d464ea30670744e2e49bd8ab8ae152a1113113c74ecf08efacbd

httpd-debugsource-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 21548333b55486bf2a149bdc244b2ebacb5d364ba478c369cd04148269f74ae8

httpd-devel-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 92ae778937a091ffe16556b8da60fa581ef37cd9107abf221cbf8678eac778c4

httpd-filesystem-2.4.53-7.el9_1.1.noarch.rpm

SHA-256: f076031d35778a62c4bcbc42d3fe4a6895b3b0b3a8a86fcac0b6e98fa901033e

httpd-manual-2.4.53-7.el9_1.1.noarch.rpm

SHA-256: ea245f97cb2b592afeed9fb07b2219eed3539b1cd12509cb70c4023c58eceab3

httpd-tools-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: b7cb4945b02ebe8c62e6811c153641acf819a90ab65524e33779e008daf7073d

httpd-tools-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 05c2c77bee0fb2f6e2bb2489ad982e801b19278b1fbf7a10d2233315dd2eefc3

mod_ldap-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 7ba708d55c0c73a52f874ecba03ab957641b4e300c93db4c6541d8978e5dabaa

mod_ldap-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 31151afb69872e903bb4e9c2d49e730f4480d72bed5141a36d303d498362d4c3

mod_lua-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 2833b0b026e63a25371f83ba6688c43abb0eb7287fb1abce9d8c15ced4085002

mod_lua-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 223268edbf139689bfebca11cc76b961c744d9f96d536fcd4e777a37cf63d4c2

mod_proxy_html-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 2811450745b7be952d9d2139c5c3ab428c7f328b48037dba472b9a8d5226f1af

mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 068c935ec90a341ab428475adbfd474d19acbf1aa925f1c0ad0bbdd055274124

mod_session-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 234c4754905792babbc962f57e31a1d931ed82acccee3db6063692ac7ec4962e

mod_session-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: ddeebfcc51920225945875db11264e71e769ecde83e1001fb57a7cab5d873c66

mod_ssl-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: 77bf6b91da7f15f18a3746ceb824bf18f3d29282828dc0ba7e39e27a065919a2

mod_ssl-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm

SHA-256: d1e77754c162e62cf6cdd9cb04d2600c4c9bda51d37dd0edf9b3e952d0e6e7ca

Red Hat Enterprise Linux for IBM z Systems 9

SRPM

httpd-2.4.53-7.el9_1.1.src.rpm

SHA-256: 3852ca714e282f4c3ac2c553e610968ae570e312fa4932e0bf930e920e965e25

s390x

httpd-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 5fd8cd1fe30fa55b2b645f1511784a9710a8a4b4c300a5dbbc45b857026703b1

httpd-core-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 0bc42fb5a920ea015bdd570a6bd8d48958242445c7e7f46afa17be1d7225654b

httpd-core-debuginfo-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 5480104a07abf5ed6d78029fb8174ba61b8c5a082e83404e1435c39ae861ed48

httpd-debuginfo-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: c18c42b4551b8e166d8553ebfd94a4c70af174241793b99ad5ef4ed0ae245876

httpd-debugsource-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: e925a4e144974d39855d0bf76a6b213bedd9765130eb7146a61fdda45d1c5181

httpd-devel-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 38fd0cb9cc3355ac332c7eb5b7b54463590d88a2986c0d559ef597d7b28d9155

httpd-filesystem-2.4.53-7.el9_1.1.noarch.rpm

SHA-256: f076031d35778a62c4bcbc42d3fe4a6895b3b0b3a8a86fcac0b6e98fa901033e

httpd-manual-2.4.53-7.el9_1.1.noarch.rpm

SHA-256: ea245f97cb2b592afeed9fb07b2219eed3539b1cd12509cb70c4023c58eceab3

httpd-tools-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 656cf3cd81bc4ba8185ee522fd816b4e5915df0c9f9db1b94cc926e96135a13f

httpd-tools-debuginfo-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 0fadae90296fa17bc99a84d5c52f866a83fa6deb016a877b13c7ddbdfe58b97c

mod_ldap-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 0b65aaceadca978a899c794f820feacb415da4728cd7efa30e31560292c26b9d

mod_ldap-debuginfo-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 427e418000458914a1ad08490b47d030d36c54359b49473addb610bdd9334c16

mod_lua-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 98c31b345b0d3d5e91476ef5bf8b5b290e88806a2c99a3da629eefa42f5af77f

mod_lua-debuginfo-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 077664a0563d86cd9b562d4434ad2fa6cecd91a1cbe5989301007dcbf8ae3f95

mod_proxy_html-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 8240b9f1194de581e7c2ef3946f4fcff67043e86283ba17bf7c588f0f0aefa90

mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: efa73bb8f24f8fbdd6b446a4ecb19de484863408902dffcbbca65c477a0fe08b

mod_session-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: eb30306210000ee90b484e57291c80d04a3072d3c33ab4a71c04f79e628163a0

mod_session-debuginfo-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 329da7695f88721a0afd0af479528d9c82e0b16d2f4ea0a309a52dd8ef0485e6

mod_ssl-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 6db68701e15c252ceaea768743f9a001d26100e5be9be986ef87e8f2efb49ce4

mod_ssl-debuginfo-2.4.53-7.el9_1.1.s390x.rpm

SHA-256: 38155de61a3bfbc6f85d5941f11cfe70a69dfef75112144662b2098fc51700d9

Red Hat Enterprise Linux for Power, little endian 9

SRPM

httpd-2.4.53-7.el9_1.1.src.rpm

SHA-256: 3852ca714e282f4c3ac2c553e610968ae570e312fa4932e0bf930e920e965e25

ppc64le

httpd-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 71c58d137f1c84183496cbca4921c82bc76c8e0f1c1fa268f79771e9bff27123

httpd-core-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 93cf5998c6bbaf33f9dc55c85826254ce5b56180fc17e31d9323d87cf6c0296f

httpd-core-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 0364c3310f751d5525182ca71f5bef3c671c56eb2fe79b9c5e6c39ff0409a15e

httpd-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: e3dafaa1a1101e63235d59b713bb194d8ad0e59536f8e799f25466e2ccde3508

httpd-debugsource-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 85faab5f399ed0b3f7dd94abf714caa744aa4f4453ec65b47ab1d424c05346b2

httpd-devel-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: a00edd8d3a0265cfd4d6705d38bd60a2c631b5b06a76d17c17040c823c1a264a

httpd-filesystem-2.4.53-7.el9_1.1.noarch.rpm

SHA-256: f076031d35778a62c4bcbc42d3fe4a6895b3b0b3a8a86fcac0b6e98fa901033e

httpd-manual-2.4.53-7.el9_1.1.noarch.rpm

SHA-256: ea245f97cb2b592afeed9fb07b2219eed3539b1cd12509cb70c4023c58eceab3

httpd-tools-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: d3ff62db0fa37a0ebf2dfa6ae48cbd303ef0bc66ae489d0464a6f989a7c211ac

httpd-tools-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 5fccafce05e6292e8c37c89db0e57bc6c834f7abd11af49d6d795d938cf945d2

mod_ldap-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: fa82d794b85f3700186338b0b131ccd2004f41f0909d9715ceffe422a14e0626

mod_ldap-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: ddc62b3b880952aef8472096e264a86415d88b18f6db4b93ef9780c79d221d5a

mod_lua-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: bf49f0cdf6abb1405a950487dc7abfb127248ea13dd2b938a67b47e93a1ce023

mod_lua-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 14c46f00f574a6c028f51a60cb9a41309d45cbc4dd2b484599514e0e84d3ed59

mod_proxy_html-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 717b4d79735279023d5e59f75543300d466aeac622a947bf5a2209256bcaf144

mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 5361103ca700114f48ef4e834c331f2017931f1409ccd8b9fb52a69ceec6a90a

mod_session-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 63369b04af7939e18c6abd4c4c125c55ed830fa8f664a2dc20fd15edb33acb53

mod_session-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: a5d956680c90a9514582cc6fc0efd355d286c99afed288d915e2861804221266

mod_ssl-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 7b56a88d619646ecf22a507a8d2279ee2dd70fb50bb230cb1d606607fbcb99fd

mod_ssl-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm

SHA-256: 29f52cf34582dec60a458c6dd9d2fb73a54a4459f381ca6226083628d4e7a1e8

Red Hat Enterprise Linux for ARM 64 9

SRPM

httpd-2.4.53-7.el9_1.1.src.rpm

SHA-256: 3852ca714e282f4c3ac2c553e610968ae570e312fa4932e0bf930e920e965e25

aarch64

httpd-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: f25197792e585d705464f0404b648ebee2939cfa1de398ca524573e5800bcebd

httpd-core-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 20e4f624cbe58ec674a89c02a2e944a14b5b5d17186c416e5cfcbcd55fa6d678

httpd-core-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: dfa56af71df49f24130a967beb3541e1eb81ff97cbe1bfdcefba158f200f7a75

httpd-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 1f647b5384165b6f547fd2b6c651906cea4f5d0389738ca1cfcaf787478a1d95

httpd-debugsource-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: b5fbd0fa5c77eaa0a69fb37f8cb5b6842a61db6bee9078c01dd8acca148f675f

httpd-devel-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 7fc5b162546e52cf42c41ebc2dc94eb43d65f64521abd49e007436049b37711e

httpd-filesystem-2.4.53-7.el9_1.1.noarch.rpm

SHA-256: f076031d35778a62c4bcbc42d3fe4a6895b3b0b3a8a86fcac0b6e98fa901033e

httpd-manual-2.4.53-7.el9_1.1.noarch.rpm

SHA-256: ea245f97cb2b592afeed9fb07b2219eed3539b1cd12509cb70c4023c58eceab3

httpd-tools-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 285f17f9ffcd7f3cf10bff17a62f0c95f1778e3f3b01da031d065545d6540ab4

httpd-tools-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 468694f54e243e307f4c9ea6dbe50b09335f82cf8856c2718cdf8eb33f7d2fe0

mod_ldap-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 278dc1defec2f69d2a400a02f922e5e30ea68643133074262e5414cb6fd0f069

mod_ldap-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 2f85c052fcabb3ab29fd28a177e4d2c2f6af0c011f41fbcb37cbb21fe1f3ea7f

mod_lua-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 8649a3b1c7bca73d3fe2a0720be4bc11a91bf5e5e6658a89ad0b06e3a58b3cb7

mod_lua-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 787009bebfa9dbe709f0625863ceffe159a35dda83c403f95b52b1e67f6eeea1

mod_proxy_html-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: c3cc86624e329ced4cf789886f68f14341ae99266ad9d20813cf1dbe22c4f459

mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 402ed7a1be11ac46a34c3aaab2d5484fed2e553e6c588b44f528deffb2971547

mod_session-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 89d7b7d3ca263485c08f67114cbb120cfeabba642955e34fa7d72d67fbaabf96

mod_session-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 61d1c458002a8ecdf912ea9462c73de8fb8bdd83da8b431b3831fce7150bd3ad

mod_ssl-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: c3917b48375918dbee50982566620d093d518769d41b6630ada31f9423c0502d

mod_ssl-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm

SHA-256: 3c17b620234bc5134b2495a48b59facfbaf4a77c7fc581f02ab8e47e0b45f0ac

Related news

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Gentoo Linux Security Advisory 202309-01

Gentoo Linux Security Advisory 202309-1 - Multiple vulnerabilities have been discovered in Apache HTTPD, the worst of which could result in denial of service. Versions greater than or equal to 2.4.56 are affected.

Red Hat Security Advisory 2023-4628-01

Red Hat Security Advisory 2023-4628-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP response splitting, bypass, integer overflow, out of bounds write, and use-after-free vulnerabilities.

Red Hat Security Advisory 2023-4629-01

Red Hat Security Advisory 2023-4629-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References section. Issues addressed include HTTP response splitting, bypass, integer overflow, and use-after-free vulnerabilities.

CVE-2023-32494: DSA-2023-269: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Dell PowerScale OneFS, 8.0.x-9.5.x, contains an improper handling of insufficient privileges vulnerability. A local privileged attacker could potentially exploit this vulnerability, leading to elevation of privilege and affect in compliance mode also.

RHSA-2023:4629: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 security update

An update is now available for Red Hat JBoss Core Services. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24963: A flaw was found in Apache Portable Runtime (APR). This issue may allow a malicious attacker to write beyond the bounds of a buffer. * CVE-2022-36760: A flaw was found in the mod_proxy_ajp module of httpd. The connection is not closed when there is an invalid Transfer-Encoding header, allowing an attacker to smuggle requests to the AJP server, where it forw...

RHSA-2023:4628: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 security update

Red Hat JBoss Core Services Apache HTTP Server 2.4.57 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24963: A flaw was found in Apache Portable Runtime (APR). This issue may allow a malicious attacker to write beyond the bounds of a buffer. * CVE-2022-28331: A flaw was found in Apache Portable Runtime, affecting versions <= 1.7.0. This issue may allow a malicious user to write beyond the end of a stack buffer and cause an integer overflow. This affect...

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

CVE-2023-26298: HP Device Manager Security Updates

Previous versions of HP Device Manager (prior to HPDM 5.0.10) could potentially allow command injection and/or elevation of privileges.

RHSA-2023:3354: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP2 security update

An update is now available for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2 on Red Hat Enterprise Linux versions 7 and 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-4304: A timing-based side channel exists in the Open...

RHSA-2023:3355: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP2 security update

Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficien...

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

Debian Security Advisory 5376-1

Debian Linux Security Advisory 5376-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.

Red Hat Security Advisory 2023-0970-01

Red Hat Security Advisory 2023-0970-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include HTTP response splitting and out of bounds read vulnerabilities.

Red Hat Security Advisory 2023-0852-01

Red Hat Security Advisory 2023-0852-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include HTTP response splitting and out of bounds read vulnerabilities.

Red Hat Security Advisory 2023-0852-01

Red Hat Security Advisory 2023-0852-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include HTTP response splitting and out of bounds read vulnerabilities.

Red Hat Security Advisory 2023-0852-01

Red Hat Security Advisory 2023-0852-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include HTTP response splitting and out of bounds read vulnerabilities.

RHSA-2023:0852: Red Hat Security Advisory: httpd:2.4 security and bug fix update

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-36760: A flaw was found in the mod_proxy_ajp module of httpd. The connection is not closed when there is an invalid...

RHSA-2023:0852: Red Hat Security Advisory: httpd:2.4 security and bug fix update

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-36760: A flaw was found in the mod_proxy_ajp module of httpd. The connection is not closed when there is an invalid...

RHSA-2023:0852: Red Hat Security Advisory: httpd:2.4 security and bug fix update

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-36760: A flaw was found in the mod_proxy_ajp module of httpd. The connection is not closed when there is an invalid...

Ubuntu Security Notice USN-5839-2

Ubuntu Security Notice 5839-2 - USN-5839-1 fixed a vulnerability in Apache. This update provides the corresponding update for Ubuntu 16.04 ESM. Dimas Fariski Setyawan Putra discovered that the Apache HTTP Server mod_proxy module incorrectly truncated certain response headers. This may result in later headers not being interpreted by the client.

Ubuntu Security Notice USN-5839-1

Ubuntu Security Notice 5839-1 - It was discovered that the Apache HTTP Server mod_dav module incorrectly handled certain If: request headers. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. ZeddYu_Lu discovered that the Apache HTTP Server mod_proxy_ajp module incorrectly interpreted certain HTTP Requests. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

Ubuntu Security Notice USN-5839-1

Ubuntu Security Notice 5839-1 - It was discovered that the Apache HTTP Server mod_dav module incorrectly handled certain If: request headers. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. ZeddYu_Lu discovered that the Apache HTTP Server mod_proxy_ajp module incorrectly interpreted certain HTTP Requests. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

Ubuntu Security Notice USN-5839-1

Ubuntu Security Notice 5839-1 - It was discovered that the Apache HTTP Server mod_dav module incorrectly handled certain If: request headers. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. ZeddYu_Lu discovered that the Apache HTTP Server mod_proxy_ajp module incorrectly interpreted certain HTTP Requests. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

Ubuntu Security Notice USN-5834-1

Ubuntu Security Notice 5834-1 - It was discovered that the Apache HTTP Server mod_dav module did not properly handle specially crafted request headers. A remote attacker could possibly use this issue to cause the process to crash, leading to a denial of service. It was discovered that the Apache HTTP Server mod_proxy_ajp module did not properly handle certain invalid Transfer-Encoding headers. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

Ubuntu Security Notice USN-5834-1

Ubuntu Security Notice 5834-1 - It was discovered that the Apache HTTP Server mod_dav module did not properly handle specially crafted request headers. A remote attacker could possibly use this issue to cause the process to crash, leading to a denial of service. It was discovered that the Apache HTTP Server mod_proxy_ajp module did not properly handle certain invalid Transfer-Encoding headers. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.