CVE-2024-24795

NameCVE-2024-24795
DescriptionHTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3818-1, DSA-5662-1, ELA-1095-1, ELA-1098-1, ELA-1099-1
Debian Bugs1068412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)jessie, jessie (lts)2.4.10-10+deb8u29fixed
stretch (security)2.4.25-3+deb9u13vulnerable
stretch (lts), stretch2.4.25-3+deb9u19fixed
buster, buster (lts)2.4.59-1~deb10u4fixed
buster (security)2.4.59-1~deb10u1fixed
bullseye2.4.62-1~deb11u1fixed
bullseye (security)2.4.62-1~deb11u2fixed
bookworm (security), bookworm2.4.62-1~deb12u2fixed
sid, trixie2.4.62-3fixed
uwsgi (PTS)jessie, jessie (lts)2.0.7-1+deb8u5vulnerable
stretch (security)2.0.14+20161117-3+deb9u5vulnerable
stretch (lts), stretch2.0.14+20161117-3+deb9u7fixed
buster2.0.18-1vulnerable
bullseye2.0.19.1-7.1vulnerable
bookworm2.0.21-5.1vulnerable
sid, trixie2.0.28-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcejessie2.4.10-10+deb8u26ELA-1099-1
apache2sourcestretch2.4.25-3+deb9u16ELA-1098-1
apache2sourcebuster2.4.59-1~deb10u1DLA-3818-1
apache2sourcebullseye2.4.59-1~deb11u1DSA-5662-1
apache2sourcebookworm2.4.59-1~deb12u1DSA-5662-1
apache2source(unstable)2.4.59-11068412
uwsgisourcestretch2.0.14+20161117-3+deb9u7ELA-1095-1
uwsgisource(unstable)(unfixed)unimportant

Notes

https://www.openwall.com/lists/oss-security/2024/04/04/5
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-24795
https://github.com/apache/httpd/commit/a29723ce1af75eed0813c3717d3f6dee9b405ca8
Fix will trigger a regression at least in fossil see https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
Fossil fix here: https://fossil-scm.org/home/info/f4ffefe708793b03
uwsgi since 2.0.15-11 drops building the libapache2-mod-proxy-uwsgi{,-dbg}
packages which are provided by src:apache2 itself.
https://github.com/unbit/uwsgi/issues/2635
uwsgi since 2.0.15-11 drops building the libapache2-mod-proxy-uwsgi{,-dbg}
packages which are provided by src:apache2 itself.

Search for package or bug name: Reporting problems