(RHSA-2023:4628) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 security update

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience.

This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

• apr-util: integer overflow/wraparound in apr_encode (CVE-2022-24963)

• apr-util: Windows out-of-bounds write in apr_socket_sendv function (CVE-2022-28331)

• httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-36760)

• httpd: mod_proxy: HTTP response splitting (CVE-2022-37436)

• mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass (CVE-2022-48279)

• modsecurity: lacking the complete content in FILES_TMP_CONTENT leads to web application firewall bypass (CVE-2023-24021)

• httpd: mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)

• curl: use after free in SSH sha256 fingerprint check (CVE-2023-28319)

• curl: IDN wildcard match may lead to Improper Cerificate Validation (CVE-2023-28321)

• libxml2: NULL dereference in xmlSchemaFixupComplexType (CVE-2023-28484)

• libxml2: Hashing of empty dict strings isn’t deterministic (CVE-2023-29469)

• curl: more POST-after-PUT confusion (CVE-2023-28322)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.