CVE-2024-24795

NameCVE-2024-24795
DescriptionHTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3818-1, DSA-5662-1
Debian Bugs1068412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)bullseye2.4.62-1~deb11u1fixed
bullseye (security)2.4.62-1~deb11u2fixed
bookworm, bookworm (security)2.4.62-1~deb12u2fixed
sid, trixie2.4.62-3fixed
uwsgi (PTS)bullseye2.0.19.1-7.1vulnerable
bookworm2.0.21-5.1vulnerable
sid, trixie2.0.28-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcebuster2.4.59-1~deb10u1DLA-3818-1
apache2sourcebullseye2.4.59-1~deb11u1DSA-5662-1
apache2sourcebookworm2.4.59-1~deb12u1DSA-5662-1
apache2source(unstable)2.4.59-11068412
uwsgisource(unstable)(unfixed)unimportant

Notes

https://www.openwall.com/lists/oss-security/2024/04/04/5
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-24795
https://github.com/apache/httpd/commit/a29723ce1af75eed0813c3717d3f6dee9b405ca8
Fix will trigger a regression at least in fossil see https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
Fossil fix here: https://fossil-scm.org/home/info/f4ffefe708793b03
uwsgi since 2.0.15-11 drops building the libapache2-mod-proxy-uwsgi{,-dbg}
packages which are provided by src:apache2 itself.
https://github.com/unbit/uwsgi/issues/2635

Search for package or bug name: Reporting problems