CLSA-2026-1776965343 Fix CVE(s): CVE-2022-29404

SECURITY UPDATE: DoS via unbounded request body in modlua - debian/patches/CVE-2022-29404-part1.patch: set APDEFAULTLIMITREQBODY to 1GB in server/core.c, enforce LimitRequestBody in apsetupclientblock in modules/http/httpfilters.c, remove redundant proxy check in modules/proxy/modproxyhttp.c. -...

CLSA-2023-1689009164 Fix CVE(s): CVE-2022-29404

SECURITY UPDATE: modlua may denial of service in r:parsebody0 - debian/patches/CVE-2022-29404.patch: use a liberal default limit for LimitRequestBody of 1GB to prevent a denial of service caused by a malicious lua script request - CVE-2022-29404...

CLSA-2022-1648136177 Fix of CVE: CVE-2022-22721, CVE-2022-22720

CVE-2022-22720: simpler connection close logic if discarding the request body fails - CVE-2022-22721: make sure and check that LimitXMLRequestBody fits in system memory...

AZL-9017 CVE-2022-22721 affecting package httpd for versions less than 2.4.53-1

If LimitXMLRequestBody is set to allow request bodies larger than 350MB defaults to 1M on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier...