Name | CVE-2024-24795 |
Description | HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-3818-1, DSA-5662-1 |
Debian Bugs | 1068412 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
apache2 (PTS) | bullseye | 2.4.62-1~deb11u1 | fixed |
| bullseye (security) | 2.4.62-1~deb11u2 | fixed |
| bookworm, bookworm (security) | 2.4.62-1~deb12u2 | fixed |
| sid, trixie | 2.4.62-3 | fixed |
uwsgi (PTS) | bullseye | 2.0.19.1-7.1 | vulnerable |
| bookworm | 2.0.21-5.1 | vulnerable |
| sid, trixie | 2.0.28-1 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
https://www.openwall.com/lists/oss-security/2024/04/04/5
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-24795
https://github.com/apache/httpd/commit/a29723ce1af75eed0813c3717d3f6dee9b405ca8
Fix will trigger a regression at least in fossil see https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
Fossil fix here: https://fossil-scm.org/home/info/f4ffefe708793b03
uwsgi since 2.0.15-11 drops building the libapache2-mod-proxy-uwsgi{,-dbg}
packages which are provided by src:apache2 itself.
https://github.com/unbit/uwsgi/issues/2635