Security update for apache2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:1031-1 Final 1 1 2022-03-29T15:35:03Z current 2022-03-29T15:35:03Z 2022-03-29T15:35:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: - CVE-2022-23943: heap out-of-bounds write in mod_sed (bsc#1197098). - CVE-2022-22720: HTTP request smuggling due to incorrect error handling (bsc#1197095). - CVE-2022-22719: use of uninitialized value of in r:parsebody in mod_lua (bsc#1197091). - CVE-2022-22721: possible buffer overflow with very large or unlimited LimitXMLRequestBody (bsc#1197096). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2022-1031 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4LVBWCEX7IVK73L73JHPXASP5AT5BZGS/ E-Mail link for openSUSE-SU-2022:1031-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1197091 SUSE Bug 1197091 https://bugzilla.suse.com/1197095 SUSE Bug 1197095 https://bugzilla.suse.com/1197096 SUSE Bug 1197096 https://bugzilla.suse.com/1197098 SUSE Bug 1197098 https://www.suse.com/security/cve/CVE-2022-22719/ SUSE CVE CVE-2022-22719 page https://www.suse.com/security/cve/CVE-2022-22720/ SUSE CVE CVE-2022-22720 page https://www.suse.com/security/cve/CVE-2022-22721/ SUSE CVE CVE-2022-22721 page https://www.suse.com/security/cve/CVE-2022-23943/ SUSE CVE CVE-2022-23943 page openSUSE Leap 15.3 apache2-2.4.51-150200.3.42.1 apache2-devel-2.4.51-150200.3.42.1 apache2-doc-2.4.51-150200.3.42.1 apache2-event-2.4.51-150200.3.42.1 apache2-example-pages-2.4.51-150200.3.42.1 apache2-prefork-2.4.51-150200.3.42.1 apache2-utils-2.4.51-150200.3.42.1 apache2-worker-2.4.51-150200.3.42.1 apache2-2.4.51-150200.3.42.1 as a component of openSUSE Leap 15.3 apache2-devel-2.4.51-150200.3.42.1 as a component of openSUSE Leap 15.3 apache2-doc-2.4.51-150200.3.42.1 as a component of openSUSE Leap 15.3 apache2-event-2.4.51-150200.3.42.1 as a component of openSUSE Leap 15.3 apache2-example-pages-2.4.51-150200.3.42.1 as a component of openSUSE Leap 15.3 apache2-prefork-2.4.51-150200.3.42.1 as a component of openSUSE Leap 15.3 apache2-utils-2.4.51-150200.3.42.1 as a component of openSUSE Leap 15.3 apache2-worker-2.4.51-150200.3.42.1 as a component of openSUSE Leap 15.3 A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. CVE-2022-22719 openSUSE Leap 15.3:apache2-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-devel-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-doc-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-event-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-example-pages-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-prefork-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-utils-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-worker-2.4.51-150200.3.42.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4LVBWCEX7IVK73L73JHPXASP5AT5BZGS/ https://www.suse.com/security/cve/CVE-2022-22719.html CVE-2022-22719 https://bugzilla.suse.com/1197091 SUSE Bug 1197091 https://bugzilla.suse.com/1198430 SUSE Bug 1198430 Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling CVE-2022-22720 openSUSE Leap 15.3:apache2-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-devel-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-doc-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-event-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-example-pages-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-prefork-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-utils-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-worker-2.4.51-150200.3.42.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4LVBWCEX7IVK73L73JHPXASP5AT5BZGS/ https://www.suse.com/security/cve/CVE-2022-22720.html CVE-2022-22720 https://bugzilla.suse.com/1197095 SUSE Bug 1197095 https://bugzilla.suse.com/1198430 SUSE Bug 1198430 https://bugzilla.suse.com/1198998 SUSE Bug 1198998 https://bugzilla.suse.com/1199102 SUSE Bug 1199102 https://bugzilla.suse.com/1199495 SUSE Bug 1199495 https://bugzilla.suse.com/1204730 SUSE Bug 1204730 If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. CVE-2022-22721 openSUSE Leap 15.3:apache2-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-devel-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-doc-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-event-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-example-pages-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-prefork-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-utils-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-worker-2.4.51-150200.3.42.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4LVBWCEX7IVK73L73JHPXASP5AT5BZGS/ https://www.suse.com/security/cve/CVE-2022-22721.html CVE-2022-22721 https://bugzilla.suse.com/1197096 SUSE Bug 1197096 https://bugzilla.suse.com/1198430 SUSE Bug 1198430 Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. CVE-2022-23943 openSUSE Leap 15.3:apache2-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-devel-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-doc-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-event-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-example-pages-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-prefork-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-utils-2.4.51-150200.3.42.1 openSUSE Leap 15.3:apache2-worker-2.4.51-150200.3.42.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4LVBWCEX7IVK73L73JHPXASP5AT5BZGS/ https://www.suse.com/security/cve/CVE-2022-23943.html CVE-2022-23943 https://bugzilla.suse.com/1197098 SUSE Bug 1197098 https://bugzilla.suse.com/1198430 SUSE Bug 1198430 https://bugzilla.suse.com/1200351 SUSE Bug 1200351