{"id":"MGASA-2022-0228","summary":"Updated apache packages fix security vulnerability","details":"Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')\nvulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to\nsmuggle requests to the AJP server it forwards requests to. This issue\naffects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior\nversions. (CVE-2022-26377)\nApache HTTP Server 2.4.53 and earlier may crash or disclose information\ndue to a read beyond bounds in ap_strcmp_match() when provided with an\nextremely large input buffer. While no code distributed with the server\ncan be coerced into such a call, third-party modules or lua scripts that\nuse ap_strcmp_match() may hypothetically be affected. (CVE-2022-28615)\nIn Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua\nscript that calls r:parsebody(0) may cause a denial of service due to no\ndefault limit on possible input size. (CVE-2022-29404)\nApache HTTP Server 2.4.53 and earlier may return lengths to applications\ncalling r:wsread() that point past the end of the storage allocated for\nthe buffer. (CVE-2022-30556)\nApache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-*\nheaders to the origin server based on client side Connection header\nhop-by-hop mechanism. This may be used to bypass IP based authentication\non the origin server/application. (CVE-2022-31813)\n","modified":"2026-04-16T04:43:18.347020617Z","published":"2022-06-13T20:44:20Z","upstream":["CVE-2022-26377","CVE-2022-28615","CVE-2022-29404","CVE-2022-30556","CVE-2022-31813"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0228.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30529"},{"type":"WEB","url":"https://downloads.apache.org/httpd/CHANGES_2.4.54"},{"type":"WEB","url":"https://httpd.apache.org/security/vulnerabilities_24.html"}],"affected":[{"package":{"name":"apache","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/apache?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.54-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0228.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}