|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-24795: apache2: HTTP Response Splitting in multiple modules | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | camila.matos, kstreitova, meissner, pgajdos, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/400371/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2024-24795:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-04-04 15:18:10 UTC
*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
Splitting in multiple modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP
Server allows an attacker that can inject malicious response
headers into backend applications to cause an HTTP
desynchronization attack.
Users are recommended to upgrade to version 2.4.59, which fixes
this issue.
Credits: Keran Mu, Tsinghua University and Zhongguancun
Laboratory.
https://svn.apache.org/viewvc?view=revision&revision=1916777
This is quite large.
Submitted for ALP,15sp4,15sp2,12sp5/apache2. 15sp6 and 12sp2 remains. > 15sp6 and 12sp2 remains.
Submitted also for 12sp2.
home:pgajdos:apache-test:after/apache-test looks good. SUSE:SLFO:Main https://build.suse.de/request/show/329897 SUSE-SU-2024:1627-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1221401, 1222330, 1222332 CVE References: CVE-2023-38709, CVE-2024-24795, CVE-2024-27316 Maintenance Incident: [SUSE:Maintenance:33762](https://smelt.suse.de/incident/33762/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): apache2-tls13-2.4.51-35.41.1, apache2-2.4.51-35.41.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): apache2-tls13-2.4.51-35.41.1, apache2-2.4.51-35.41.1 SUSE Linux Enterprise Server 12 SP5 (src): apache2-tls13-2.4.51-35.41.1, apache2-2.4.51-35.41.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): apache2-tls13-2.4.51-35.41.1, apache2-2.4.51-35.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1788-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1221401, 1222330, 1222332 CVE References: CVE-2023-38709, CVE-2024-24795, CVE-2024-27316 Maintenance Incident: [SUSE:Maintenance:33761](https://smelt.suse.de/incident/33761/) Sources used: SUSE Enterprise Storage 7.1 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): apache2-2.4.51-150200.3.62.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. 15sp6 https://build.suse.de/request/show/331979 I believe all fixed. SUSE-SU-2024:1963-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1221401, 1222330, 1222332 CVE References: CVE-2023-38709, CVE-2024-24795, CVE-2024-27316 Maintenance Incident: [SUSE:Maintenance:34076](https://smelt.suse.de/incident/34076/) Sources used: openSUSE Leap 15.6 (src): apache2-event-2.4.58-150600.5.3.1, apache2-utils-2.4.58-150600.5.3.1, apache2-test_worker-2.4.58-150600.5.3.1, apache2-2.4.58-150600.5.3.1, apache2-worker-2.4.58-150600.5.3.1, apache2-test_event-2.4.58-150600.5.3.1, apache2-devel-2.4.58-150600.5.3.1, apache2-test_prefork-2.4.58-150600.5.3.1, apache2-manual-2.4.58-150600.5.3.1, apache2-prefork-2.4.58-150600.5.3.1, apache2-test_main-2.4.58-150600.5.3.1, apache2-test_devel-2.4.58-150600.5.3.1 Basesystem Module 15-SP6 (src): apache2-2.4.58-150600.5.3.1, apache2-prefork-2.4.58-150600.5.3.1 SUSE Package Hub 15 15-SP6 (src): apache2-2.4.58-150600.5.3.1, apache2-event-2.4.58-150600.5.3.1 Server Applications Module 15-SP6 (src): apache2-utils-2.4.58-150600.5.3.1, apache2-worker-2.4.58-150600.5.3.1, apache2-devel-2.4.58-150600.5.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |