{"id":"MGASA-2023-0304","summary":"Updated apache packages fix security vulnerabilities","details":"Apache has been updated to version 2.4.58 to fix several security\nissues.\n\nCVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed\nright away on RST (cve.mitre.org)\nWhen a HTTP/2 stream was reset (RST frame) by a client, there was a time\nwindow were the request's memory resources were not reclaimed\nimmediately. Instead, de-allocation was deferred to connection close.\nA client could send new requests and resets, keeping the connection busy\nand open and causing the memory footprint to keep on growing. On\nconnection close, all resources were reclaimed, but the process might\nrun out of memory before that.\nThis was found by the reporter during testing of CVE-2023-44487\n(HTTP/2 Rapid Reset Exploit) with their own test client. During \"normal\"\nHTTP/2 use, the probability to hit this bug is very low. The kept memory\nwould not become noticeable before the connection closes or times out.\nUsers are recommended to upgrade to version 2.4.58, which fixes the\nissue.\nCredits: Will Dormann of Vul Labs\n\nCVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows\nsize 0 (cve.mitre.org)\nAn attacker, opening a HTTP/2 connection with an initial window size of\n0, was able to block handling of that connection indefinitely in Apache\nHTTP Server. This could be used to exhaust worker resources in the\nserver, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are\nterminated properly after the configured connection timeout.\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\nUsers are recommended to upgrade to version 2.4.58, which fixes the\nissue.\nCredits: Prof. Sven Dietrich (City University of New York)\n\nCVE-2023-31122: mod_macro buffer over-read\n(cve.mitre.org)\nOut-of-bounds Read vulnerability in mod_macro of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.57.\nCredits: David Shoon (github/davidshoon)\n","modified":"2026-04-16T04:41:44.987317118Z","published":"2023-10-27T21:49:40Z","upstream":["CVE-2023-31122","CVE-2023-43622","CVE-2023-45802"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0304.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=32415"},{"type":"WEB","url":"https://downloads.apache.org/httpd/CHANGES_2.4.58"}],"affected":[{"package":{"name":"apache","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/apache?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.58-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0304.json"}},{"package":{"name":"apache","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/apache?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.58-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0304.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}