apache2-2.4.56-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12776 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z apache2-2.4.56-1.1 on GA media These are all security issues fixed in the apache2-2.4.56-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12776 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12776 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-25690/ SUSE CVE CVE-2023-25690 page https://www.suse.com/security/cve/CVE-2023-27522/ SUSE CVE CVE-2023-27522 page openSUSE Tumbleweed apache2-2.4.56-1.1 apache2-2.4.56-1.1 as a component of openSUSE Tumbleweed Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server. CVE-2023-25690 openSUSE Tumbleweed:apache2-2.4.56-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-25690.html CVE-2023-25690 https://bugzilla.suse.com/1209047 SUSE Bug 1209047 https://bugzilla.suse.com/1212409 SUSE Bug 1212409 https://bugzilla.suse.com/1212865 SUSE Bug 1212865 HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. CVE-2023-27522 openSUSE Tumbleweed:apache2-2.4.56-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-27522.html CVE-2023-27522 https://bugzilla.suse.com/1209049 SUSE Bug 1209049