Tenable is reporting these vulnerabilities in IBM httpd-2.4.54, please update to 2.4.55

The version of Apache httpd installed on the remote host is prior to 2.4.55.
It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.55 advisory.

- A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.(CVE-2006-20001)
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.(CVE-2022-36760)
- Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. (CVE-2022-37436)

------------------------------
Lisa Isaly
------------------------------

If it's not too much to ask, compile mod_ssl using openssl-1.1.2.1202. Thank you very much

------------------------------
Luis Fernando Jussiani Minko
------------------------------

Original Message:
Sent: Wed January 25, 2023 02:51 PM
From: Lisa Isaly
Subject: Please update httpd > httpd-2.4.55

Tenable is reporting these vulnerabilities in IBM httpd-2.4.54, please update to 2.4.55

The version of Apache httpd installed on the remote host is prior to 2.4.55.
It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.55 advisory.

- A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.(CVE-2006-20001)
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.(CVE-2022-36760)
- Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. (CVE-2022-37436)

------------------------------
Lisa Isaly
------------------------------

The httpd release 2.4.54-3 ( mod_ssl is part of it ) in Toolbox for quite sometime is already built using openssl 1.1.2. 
Do you see any problem with that release ?

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Thu January 26, 2023 09:30 PM
From: Luis Fernando Jussiani Minko
Subject: Please update httpd > httpd-2.4.55

If it's not too much to ask, compile mod_ssl using openssl-1.1.2.1202. Thank you very much

------------------------------
Luis Fernando Jussiani Minko

Original Message:
Sent: Wed January 25, 2023 02:51 PM
From: Lisa Isaly
Subject: Please update httpd > httpd-2.4.55

Tenable is reporting these vulnerabilities in IBM httpd-2.4.54, please update to 2.4.55

The version of Apache httpd installed on the remote host is prior to 2.4.55.
It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.55 advisory.

- A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.(CVE-2006-20001)
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.(CVE-2022-36760)
- Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. (CVE-2022-37436)

------------------------------
Lisa Isaly
------------------------------

Ayappan P, you are right , i made a mistake keeping both openssl-1.1.2.1202 and openssl-1.0.2u-1.ppc together, so the httpd wasnt starting. I removed openssl-1.0.2u-1.ppc e now httpd 2.4.54-3 works fine. Thank you.

------------------------------
Luis Fernando Jussiani Minko
------------------------------

Original Message:
Sent: Fri January 27, 2023 02:50 AM
From: Ayappan P
Subject: Please update httpd > httpd-2.4.55

The httpd release 2.4.54-3 ( mod_ssl is part of it ) in Toolbox for quite sometime is already built using openssl 1.1.2. 
Do you see any problem with that release ?

------------------------------
Ayappan P

Original Message:
Sent: Thu January 26, 2023 09:30 PM
From: Luis Fernando Jussiani Minko
Subject: Please update httpd > httpd-2.4.55

If it's not too much to ask, compile mod_ssl using openssl-1.1.2.1202. Thank you very much

------------------------------
Luis Fernando Jussiani Minko

Original Message:
Sent: Wed January 25, 2023 02:51 PM
From: Lisa Isaly
Subject: Please update httpd > httpd-2.4.55

Tenable is reporting these vulnerabilities in IBM httpd-2.4.54, please update to 2.4.55

The version of Apache httpd installed on the remote host is prior to 2.4.55.
It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.55 advisory.

- A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.(CVE-2006-20001)
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.(CVE-2022-36760)
- Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. (CVE-2022-37436)

------------------------------
Lisa Isaly
------------------------------

We are working on this version of httpd(2.4.55) and will be uploading the same in AIX Toolbox by next week.

------------------------------
RESHMA KUMAR
------------------------------

Original Message:
Sent: Wed January 25, 2023 02:51 PM
From: Lisa Isaly
Subject: Please update httpd > httpd-2.4.55

Tenable is reporting these vulnerabilities in IBM httpd-2.4.54, please update to 2.4.55

The version of Apache httpd installed on the remote host is prior to 2.4.55.
It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.55 advisory.

- A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.(CVE-2006-20001)
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.(CVE-2022-36760)
- Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. (CVE-2022-37436)

------------------------------
Lisa Isaly
------------------------------

I appreciate the httpd 2.4.55 update. After I updated our Apache though it broke our MariaDB installation. What we have is MariaDB 10.5.9 when BullFreeware was serving packages. Now we're getting the below after a successful httpd update : 

mysql -v

Could not load program mariadb:

Symbol resolution failed for mariadb because:

        Symbol _GLOBAL__AIXI_libz_so (number 259) is not exported from dependent

          module /opt/freeware/lib/libz.a[libz.so.1].

        Symbol _GLOBAL__AIXD_libz_so (number 260) is not exported from dependent

          module /opt/freeware/lib/libz.a[libz.so.1].

Examine .loader section symbols with the 'dump -Tv' command.

I had to revert to the previous Apache version and supporting rpm's to get MariaDB to work again. 

We have installed :

mariadb-10.5.9-1.ppc

mariadb-common-10.5.9-1.ppc

mariadb-connector-c-3.2.4-1.ppc

mariadb-connector-c-devel-3.2.4-1.ppc

mariadb-devel-10.5.9-1.ppc

mariadb-errmsg-10.5.9-1.ppc

mariadb-server-10.5.9-1.ppc

mariadb-server-utils-10.5.9-1.ppc

mod_ssl-2.4.54-3.ppc

mysql-config-1.0-3.noarch

openldap-2.4.59-1.ppc

expat-2.5.0-1.ppc

httpd-2.4.54-3.ppc

libiconv-1.16-5.ppc

xz-5.2.5-1.ppc

xz-libs-5.2.5-1.ppc

zlib-1.2.11-5.ppc

 

------------------------------
Scott Gruber
------------------------------

Original Message:
Sent: Tue January 31, 2023 12:01 AM
From: RESHMA KUMAR
Subject: Please update httpd > httpd-2.4.55

We are working on this version of httpd(2.4.55) and will be uploading the same in AIX Toolbox by next week.

------------------------------
RESHMA KUMAR

Original Message:
Sent: Wed January 25, 2023 02:51 PM
From: Lisa Isaly
Subject: Please update httpd > httpd-2.4.55

Tenable is reporting these vulnerabilities in IBM httpd-2.4.54, please update to 2.4.55

The version of Apache httpd installed on the remote host is prior to 2.4.55.
It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.55 advisory.

- A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.(CVE-2006-20001)
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.(CVE-2022-36760)
- Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. (CVE-2022-37436)

------------------------------
Lisa Isaly
------------------------------

Thanks guys for httpd version 2.4.55, I installed it in my environment and everything is OK. But I have a question, can I update my OpenSSL to version openssl-3.0.7.1000? Is mod_ssl compatible?

------------------------------
Luis Minko
------------------------------

Original Message:
Sent: Tue January 31, 2023 12:01 AM
From: RESHMA KUMAR
Subject: Please update httpd > httpd-2.4.55

We are working on this version of httpd(2.4.55) and will be uploading the same in AIX Toolbox by next week.

------------------------------
RESHMA KUMAR

Original Message:
Sent: Wed January 25, 2023 02:51 PM
From: Lisa Isaly
Subject: Please update httpd > httpd-2.4.55

Tenable is reporting these vulnerabilities in IBM httpd-2.4.54, please update to 2.4.55

The version of Apache httpd installed on the remote host is prior to 2.4.55.
It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.55 advisory.

- A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.(CVE-2006-20001)
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.(CVE-2022-36760)
- Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. (CVE-2022-37436)

------------------------------
Lisa Isaly
------------------------------

openssl 3.0.7.1000 also ships "*.so.1.1" inside its library archive. So applications linking to *.so.1.1 will still work. 

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Fri February 24, 2023 01:40 PM
From: Luis Minko
Subject: Please update httpd > httpd-2.4.55

Thanks guys for httpd version 2.4.55, I installed it in my environment and everything is OK. But I have a question, can I update my OpenSSL to version openssl-3.0.7.1000? Is mod_ssl compatible?

------------------------------
Luis Minko

Original Message:
Sent: Tue January 31, 2023 12:01 AM
From: RESHMA KUMAR
Subject: Please update httpd > httpd-2.4.55

We are working on this version of httpd(2.4.55) and will be uploading the same in AIX Toolbox by next week.

------------------------------
RESHMA KUMAR

Original Message:
Sent: Wed January 25, 2023 02:51 PM
From: Lisa Isaly
Subject: Please update httpd > httpd-2.4.55

Tenable is reporting these vulnerabilities in IBM httpd-2.4.54, please update to 2.4.55

The version of Apache httpd installed on the remote host is prior to 2.4.55.
It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.55 advisory.

- A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.(CVE-2006-20001)
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.(CVE-2022-36760)
- Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. (CVE-2022-37436)

------------------------------
Lisa Isaly
------------------------------