apache2-2.4.54-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12142-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z apache2-2.4.54-1.1 on GA media These are all security issues fixed in the apache2-2.4.54-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12142 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-26377/ SUSE CVE CVE-2022-26377 page https://www.suse.com/security/cve/CVE-2022-28330/ SUSE CVE CVE-2022-28330 page https://www.suse.com/security/cve/CVE-2022-28614/ SUSE CVE CVE-2022-28614 page https://www.suse.com/security/cve/CVE-2022-28615/ SUSE CVE CVE-2022-28615 page https://www.suse.com/security/cve/CVE-2022-29404/ SUSE CVE CVE-2022-29404 page https://www.suse.com/security/cve/CVE-2022-30522/ SUSE CVE CVE-2022-30522 page https://www.suse.com/security/cve/CVE-2022-30556/ SUSE CVE CVE-2022-30556 page https://www.suse.com/security/cve/CVE-2022-31813/ SUSE CVE CVE-2022-31813 page openSUSE Tumbleweed apache2-2.4.54-1.1 apache2-2.4.54-1.1 as a component of openSUSE Tumbleweed Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. CVE-2022-26377 openSUSE Tumbleweed:apache2-2.4.54-1.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-26377.html CVE-2022-26377 https://bugzilla.suse.com/1200338 SUSE Bug 1200338 Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. CVE-2022-28330 openSUSE Tumbleweed:apache2-2.4.54-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-28330.html CVE-2022-28330 https://bugzilla.suse.com/1200339 SUSE Bug 1200339 The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue. CVE-2022-28614 openSUSE Tumbleweed:apache2-2.4.54-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-28614.html CVE-2022-28614 https://bugzilla.suse.com/1200340 SUSE Bug 1200340 Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. CVE-2022-28615 openSUSE Tumbleweed:apache2-2.4.54-1.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-28615.html CVE-2022-28615 https://bugzilla.suse.com/1200341 SUSE Bug 1200341 In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. CVE-2022-29404 openSUSE Tumbleweed:apache2-2.4.54-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-29404.html CVE-2022-29404 https://bugzilla.suse.com/1200345 SUSE Bug 1200345 If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. CVE-2022-30522 openSUSE Tumbleweed:apache2-2.4.54-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30522.html CVE-2022-30522 https://bugzilla.suse.com/1200352 SUSE Bug 1200352 Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. CVE-2022-30556 openSUSE Tumbleweed:apache2-2.4.54-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-30556.html CVE-2022-30556 https://bugzilla.suse.com/1200350 SUSE Bug 1200350 Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. CVE-2022-31813 openSUSE Tumbleweed:apache2-2.4.54-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-31813.html CVE-2022-31813 https://bugzilla.suse.com/1200348 SUSE Bug 1200348 https://bugzilla.suse.com/1219585 SUSE Bug 1219585 https://bugzilla.suse.com/1225670 SUSE Bug 1225670