Bugzilla – Bug 1222332
VUL-0: CVE-2024-24795: apache2: HTTP Response Splitting in multiple modules
Last modified: 2024-06-14 08:00:09 UTC
From: Eric Covener <covener () apache org> Date: Thu, 04 Apr 2024 13:57:26 +0000 Severity: low Affected versions: - Apache HTTP Server 2.4.0 through 2.4.58 Description: HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. Credit: Keran Mu, Tsinghua University and Zhongguancun Laboratory. (finder) Jianjun Chen, Tsinghua University and Zhongguancun Laboratory. (finder) References: https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-24795 Timeline: 2023-09-06: Reported to security team References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24795 https://seclists.org/oss-sec/2024/q2/31 https://www.cve.org/CVERecord?id=CVE-2024-24795
*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. Credits: Keran Mu, Tsinghua University and Zhongguancun Laboratory. https://svn.apache.org/viewvc?view=revision&revision=1916777 This is quite large.
Submitted for ALP,15sp4,15sp2,12sp5/apache2. 15sp6 and 12sp2 remains.
> 15sp6 and 12sp2 remains. Submitted also for 12sp2.
home:pgajdos:apache-test:after/apache-test looks good.
SUSE:SLFO:Main https://build.suse.de/request/show/329897
SUSE-SU-2024:1627-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1221401, 1222330, 1222332 CVE References: CVE-2023-38709, CVE-2024-24795, CVE-2024-27316 Maintenance Incident: [SUSE:Maintenance:33762](https://smelt.suse.de/incident/33762/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): apache2-tls13-2.4.51-35.41.1, apache2-2.4.51-35.41.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): apache2-tls13-2.4.51-35.41.1, apache2-2.4.51-35.41.1 SUSE Linux Enterprise Server 12 SP5 (src): apache2-tls13-2.4.51-35.41.1, apache2-2.4.51-35.41.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): apache2-tls13-2.4.51-35.41.1, apache2-2.4.51-35.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1788-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1221401, 1222330, 1222332 CVE References: CVE-2023-38709, CVE-2024-24795, CVE-2024-27316 Maintenance Incident: [SUSE:Maintenance:33761](https://smelt.suse.de/incident/33761/) Sources used: SUSE Enterprise Storage 7.1 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): apache2-2.4.51-150200.3.62.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): apache2-2.4.51-150200.3.62.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
15sp6 https://build.suse.de/request/show/331979 I believe all fixed.
SUSE-SU-2024:1963-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1221401, 1222330, 1222332 CVE References: CVE-2023-38709, CVE-2024-24795, CVE-2024-27316 Maintenance Incident: [SUSE:Maintenance:34076](https://smelt.suse.de/incident/34076/) Sources used: openSUSE Leap 15.6 (src): apache2-event-2.4.58-150600.5.3.1, apache2-utils-2.4.58-150600.5.3.1, apache2-test_worker-2.4.58-150600.5.3.1, apache2-2.4.58-150600.5.3.1, apache2-worker-2.4.58-150600.5.3.1, apache2-test_event-2.4.58-150600.5.3.1, apache2-devel-2.4.58-150600.5.3.1, apache2-test_prefork-2.4.58-150600.5.3.1, apache2-manual-2.4.58-150600.5.3.1, apache2-prefork-2.4.58-150600.5.3.1, apache2-test_main-2.4.58-150600.5.3.1, apache2-test_devel-2.4.58-150600.5.3.1 Basesystem Module 15-SP6 (src): apache2-2.4.58-150600.5.3.1, apache2-prefork-2.4.58-150600.5.3.1 SUSE Package Hub 15 15-SP6 (src): apache2-2.4.58-150600.5.3.1, apache2-event-2.4.58-150600.5.3.1 Server Applications Module 15-SP6 (src): apache2-utils-2.4.58-150600.5.3.1, apache2-worker-2.4.58-150600.5.3.1, apache2-devel-2.4.58-150600.5.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.