httpd-2.4.53

[Bruce Dubbs]

New point version.

[Bruce Dubbs]

Fixed at commit 45bc955a300ecde8ebba1051e60e0a977423e486

Package updates.
    Update to imlib2-1.8.1.
    Update to stunnel-5.63.
    Update to httpd-2.4.53.
    Update to HTML-Parser-3.77 (Perl module).

[ken@…]

Belatedly marking as elevated, based on advisories on oss-security:

CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds Severity: important

Description:

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.

This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with

very large or unlimited LimitXMLRequestBody

Severity: low

Description:

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.

This issue affects Apache HTTP Server 2.4.52 and earlier.

CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier Severity: important

Description:

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody Severity: moderate

Description:

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.

This issue affects Apache HTTP Server 2.4.52 and earlier.

[ken@…]

Reassigning to me for advisory.

[ken@…]

SA 11.1-013.