Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:0803-1 Final 1 1 2023-03-20T10:13:24Z current 2023-03-20T10:13:24Z 2023-03-20T10:13:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: - CVE-2023-25690: Fixed HTTP request splitting with mod_rewrite and mod_proxy (bsc#1209047). The following non-security bugs were fixed: - Fixed passing health check does not recover worker from its error state (bsc#1208708). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-803,SUSE-OpenStack-Cloud-9-2023-803,SUSE-OpenStack-Cloud-Crowbar-9-2023-803,SUSE-SLE-SAP-12-SP4-2023-803,SUSE-SLE-SERVER-12-SP2-BCL-2023-803,SUSE-SLE-SERVER-12-SP4-ESPOS-2023-803,SUSE-SLE-SERVER-12-SP4-LTSS-2023-803 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20230803-1/ Link for SUSE-SU-2023:0803-1 https://lists.suse.com/pipermail/sle-security-updates/2023-March/014095.html E-Mail link for SUSE-SU-2023:0803-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1208708 SUSE Bug 1208708 https://bugzilla.suse.com/1209047 SUSE Bug 1209047 https://www.suse.com/security/cve/CVE-2023-25690/ SUSE CVE CVE-2023-25690 page SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP4-ESPOS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 apache2-2.4.23-29.97.1 apache2-devel-2.4.23-29.97.1 apache2-doc-2.4.23-29.97.1 apache2-event-2.4.23-29.97.1 apache2-example-pages-2.4.23-29.97.1 apache2-prefork-2.4.23-29.97.1 apache2-utils-2.4.23-29.97.1 apache2-worker-2.4.23-29.97.1 apache2-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL apache2-doc-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL apache2-example-pages-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL apache2-prefork-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL apache2-utils-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL apache2-worker-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL apache2-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS apache2-doc-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS apache2-example-pages-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS apache2-prefork-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS apache2-utils-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS apache2-worker-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS apache2-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS apache2-doc-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS apache2-example-pages-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS apache2-prefork-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS apache2-utils-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS apache2-worker-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS apache2-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 apache2-doc-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 apache2-example-pages-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 apache2-prefork-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 apache2-utils-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 apache2-worker-2.4.23-29.97.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 apache2-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud 9 apache2-doc-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud 9 apache2-example-pages-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud 9 apache2-prefork-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud 9 apache2-utils-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud 9 apache2-worker-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud 9 apache2-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud Crowbar 9 apache2-doc-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud Crowbar 9 apache2-example-pages-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud Crowbar 9 apache2-prefork-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud Crowbar 9 apache2-utils-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud Crowbar 9 apache2-worker-2.4.23-29.97.1 as a component of SUSE OpenStack Cloud Crowbar 9 Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server. CVE-2023-25690 SUSE Linux Enterprise Server 12 SP2-BCL:apache2-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP2-BCL:apache2-doc-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP2-BCL:apache2-example-pages-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP2-BCL:apache2-prefork-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP2-BCL:apache2-utils-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP2-BCL:apache2-worker-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:apache2-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:apache2-doc-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:apache2-example-pages-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:apache2-prefork-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:apache2-utils-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:apache2-worker-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-LTSS:apache2-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-LTSS:apache2-doc-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-LTSS:apache2-example-pages-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-LTSS:apache2-prefork-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-LTSS:apache2-utils-2.4.23-29.97.1 SUSE Linux Enterprise Server 12 SP4-LTSS:apache2-worker-2.4.23-29.97.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:apache2-2.4.23-29.97.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:apache2-doc-2.4.23-29.97.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:apache2-example-pages-2.4.23-29.97.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:apache2-prefork-2.4.23-29.97.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:apache2-utils-2.4.23-29.97.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:apache2-worker-2.4.23-29.97.1 SUSE OpenStack Cloud 9:apache2-2.4.23-29.97.1 SUSE OpenStack Cloud 9:apache2-doc-2.4.23-29.97.1 SUSE OpenStack Cloud 9:apache2-example-pages-2.4.23-29.97.1 SUSE OpenStack Cloud 9:apache2-prefork-2.4.23-29.97.1 SUSE OpenStack Cloud 9:apache2-utils-2.4.23-29.97.1 SUSE OpenStack Cloud 9:apache2-worker-2.4.23-29.97.1 SUSE OpenStack Cloud Crowbar 9:apache2-2.4.23-29.97.1 SUSE OpenStack Cloud Crowbar 9:apache2-doc-2.4.23-29.97.1 SUSE OpenStack Cloud Crowbar 9:apache2-example-pages-2.4.23-29.97.1 SUSE OpenStack Cloud Crowbar 9:apache2-prefork-2.4.23-29.97.1 SUSE OpenStack Cloud Crowbar 9:apache2-utils-2.4.23-29.97.1 SUSE OpenStack Cloud Crowbar 9:apache2-worker-2.4.23-29.97.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230803-1/ https://www.suse.com/security/cve/CVE-2023-25690.html CVE-2023-25690 https://bugzilla.suse.com/1209047 SUSE Bug 1209047 https://bugzilla.suse.com/1212409 SUSE Bug 1212409 https://bugzilla.suse.com/1212865 SUSE Bug 1212865