The linked advisory looks very suspicious
No reference no description nothing. If you look for the ID of the advisory you find anything but nothing about an Apache problem.
It is not suspicious dcert.de is the official site from “Deutsche Telekom Security GmbH” for security advisories.
If you have an login, you are able to see more information.
Here are the CVE-Numbers and some more links:
CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943
With Debian, the upstream version number is not always the relevant criterium for vulnerable vs. fixed.
In some cases, the Debian security team “backports” fixes from later versions to keep the installed version (feature-)stable. This would then be reflected in the Debian-specific part of the version string while the upstream version number would remain unchanged
The one of the things what i don’t want on a reliable source of information.
Also if you look at one very actual (not released distribution) like the next Ubuntu LTS you will only have Apache 2.4.52 inside (at the moment).
But i had a look at my Ubuntu server patches today and they got today all the fixed Apache version backported to 2.4.41, these fixes are the same inside the actual Debian versions.
Hi,
as of writing this reply debian has not published updates for this vulnerability and the distro used by the appliance. (See Information on source package apache2)
Unfortunately the information about these vulnerabilities is a bit scarce, but from what I found three vulnerabilities do not matter for the appliance:
CVE-2022-23943 applies only to mod_sed which is not used
CVE-2022-22719 applies only to mod_lua which is not used
CVE-2022-22721 applies only to LimitXMLRequestBody which is not used
The fourth CVE-2022-22720 is still pretty high (9.8). We will look into releasing a new version with the fixes.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.