Security update for uwsgi SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3853-1 Final 1 1 2024-10-31T11:01:17Z current 2024-10-31T11:01:17Z 2024-10-31T11:01:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for uwsgi This update for uwsgi fixes the following issues: - CVE-2024-24795: Fixed HTTP Response Splitting in multiple modules (bsc#1222332) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3853,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3853,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3853 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243853-1/ Link for SUSE-SU-2024:3853-1 https://lists.suse.com/pipermail/sle-security-updates/2024-October/019744.html E-Mail link for SUSE-SU-2024:3853-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1222332 SUSE Bug 1222332 https://www.suse.com/security/cve/CVE-2024-24795/ SUSE CVE CVE-2024-24795 page SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Linux Enterprise Module for Package Hub 15 SP6 apache2-mod_uwsgi-2.0.19.1-150300.3.3.1 uwsgi-2.0.19.1-150300.3.3.1 uwsgi-emperor_pg-2.0.19.1-150300.3.3.1 uwsgi-emperor_zeromq-2.0.19.1-150300.3.3.1 uwsgi-gevent-2.0.19.1-150300.3.3.1 uwsgi-glusterfs-2.0.19.1-150300.3.3.1 uwsgi-greenlet-2.0.19.1-150300.3.3.1 uwsgi-jvm-2.0.19.1-150300.3.3.1 uwsgi-ldap-2.0.19.1-150300.3.3.1 uwsgi-libffi-2.0.19.1-150300.3.3.1 uwsgi-logzmq-2.0.19.1-150300.3.3.1 uwsgi-lua-2.0.19.1-150300.3.3.1 uwsgi-pam-2.0.19.1-150300.3.3.1 uwsgi-php7-2.0.19.1-150300.3.3.1 uwsgi-psgi-2.0.19.1-150300.3.3.1 uwsgi-pypy-2.0.19.1-150300.3.3.1 uwsgi-python-2.0.19.1-150300.3.3.1 uwsgi-python3-2.0.19.1-150300.3.3.1 uwsgi-sqlite3-2.0.19.1-150300.3.3.1 uwsgi-xslt-2.0.19.1-150300.3.3.1 uwsgi-python-2.0.19.1-150300.3.3.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 uwsgi-python-2.0.19.1-150300.3.3.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. CVE-2024-24795 SUSE Linux Enterprise Module for Package Hub 15 SP5:uwsgi-python-2.0.19.1-150300.3.3.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:uwsgi-python-2.0.19.1-150300.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243853-1/ https://www.suse.com/security/cve/CVE-2024-24795.html CVE-2024-24795 https://bugzilla.suse.com/1222332 SUSE Bug 1222332