All errata/c9f2/ALT-PU-2023-1437-2
ALT-PU-2023-1437-2

Package update apache2 in branch c9f2

Version2.4.56-alt1
Task#316469
Published2026-02-04
Max severityCRITICAL
Severity:

Closed issues (5)

BDU:2023-01738
CRITICAL9.8

Уязвимость модуля mod_proxy веб-сервера Apache HTTP Server, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

Published: 2023-03-30Modified: 2025-08-19
CVSS 3.xCRITICAL 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2023-02021
HIGH8.6

Уязвимость компонента mod_proxy_uwsgi веб-сервера Apache HTTP Server связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку "контрабанда HTTP-запросов"

Published: 2023-04-13Modified: 2025-08-19
CVSS 3.xHIGH 8.6
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:C/A:P
References
CVE-2023-25690
CRITICAL9.8

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.

Published: 2023-03-07Modified: 2025-12-18
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2023-27522
HIGH7.5

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.

Published: 2023-03-07Modified: 2025-05-01
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
GHSA-vcph-37mh-fqrh
HIGH7.5

Apache HTTP Server via mod_proxy_uwsgi HTTP response smuggling

Published: 2023-03-07Modified: 2023-08-24
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References