Hello, CERT-FR considers three new Apache2 vulnerabilities to be of concern [1].
These are: CVE-2022-37436 [2] CVE-2022-36760 [3] CVE-2006-20001 [4] The first one will modify how clients may apply some security headers if a malicious backend triggers this bug (some headers will be in the response body). Ranke as 5.3 MEDIUM. The second one is specific to mod_proxy_ajp, aka Java/tomcat backend. Ranked as 9.0 CRITICAL. The third one is a very old vulnerability in webdav, which is a read of one byte or buffer head overflow of 1 byte. This is ranked as 7.5 / HIGH. My personal ranks are: don't care (my backends are not malicious :->), don't care (I don't run any Java software per policy). The last one bothers me more. Do you know when this will be fixed in LTS? The Security tracker [5] tells me that bullseye is not fixed yet either, and the no-DSA bothers me. Thank you for looking into this. [1] https://www.cert.ssi.gouv.fr/avis/CERTFR-2023-AVI-0035/?s=09 [2] https://www.cve.org/CVERecord?id=CVE-2022-37436 [3] https://www.cve.org/CVERecord?id=CVE-2022-36760 [4] https://www.cve.org/CVERecord?id=CVE-2006-20001 [5] https://security-tracker.debian.org/tracker/source-package/apache2
