Lucene search

K
almalinuxAlmaLinuxALSA-2022:8067
HistoryNov 15, 2022 - 12:00 a.m.

Moderate: httpd security, bug fix, and enhancement update

2022-11-1500:00:00
errata.almalinux.org
33
httpd
security
bug fix
update
mod_sed
mod_lua
mod_proxy_ajp
mod_proxy
apache http server
cve-2022-23943
cve-2022-22719
cve-2022-22721
cve-2022-26377
cve-2022-29404
cve-2022-30522
cve-2022-31813
cve-2022-28614
cve-2022-28615
cve-2022-30556
almalinux release notes

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.348

Percentile

97.1%

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

The following packages have been upgraded to a later upstream version: httpd (2.4.53). (BZ#2079939)

Security Fix(es):

  • httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943)
  • httpd: mod_lua: Use of uninitialized value of in r:parsebody (CVE-2022-22719)
  • httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-22721)
  • httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)
  • httpd: mod_lua: DoS in r:parsebody (CVE-2022-29404)
  • httpd: mod_sed: DoS vulnerability (CVE-2022-30522)
  • httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)
  • httpd: Out-of-bounds read via ap_rwrite() (CVE-2022-28614)
  • httpd: Out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)
  • httpd: mod_lua: Information disclosure with websockets (CVE-2022-30556)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.348

Percentile

97.1%