Описание
Security update for apache2
This update for apache2 fixes the following issues:
- CVE-2022-37436: Fixed an issue in mod_proxy where a malicious backend could cause the response headers to be truncated early, resulting in some headers being incorporated into the response body (bsc#1207251).
- CVE-2022-36760: Fixed an issue in mod_proxy_ajp that could allow request smuggling attacks (bsc#1207250).
- CVE-2006-20001: Fixed an issue in mod_proxy_ajp where a request header could cause memory corruption (bsc#1207247).
Список пакетов
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE Linux Enterprise Software Development Kit 12 SP5
Ссылки
- Link for SUSE-SU-2023:0185-1
- E-Mail link for SUSE-SU-2023:0185-1
- SUSE Security Ratings
- SUSE Bug 1207247
- SUSE Bug 1207250
- SUSE Bug 1207251
- SUSE CVE CVE-2006-20001 page
- SUSE CVE CVE-2022-36760 page
- SUSE CVE CVE-2022-37436 page
Описание
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
Затронутые продукты
Ссылки
- CVE-2006-20001
- SUSE Bug 1207247
- SUSE Bug 1217021
Описание
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Затронутые продукты
Ссылки
- CVE-2022-36760
- SUSE Bug 1207250
Описание
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
Затронутые продукты
Ссылки
- CVE-2022-37436
- SUSE Bug 1207251