CVE-2024-24795

Name	CVE-2024-24795
Description	HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3818-1, DSA-5662-1, ELA-1095-1, ELA-1098-1, ELA-1099-1
Debian Bugs	1068412

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apache2 (PTS)	jessie, jessie (lts)	2.4.10-10+deb8u29	fixed
	stretch (security)	2.4.25-3+deb9u13	vulnerable
	stretch (lts), stretch	2.4.25-3+deb9u19	fixed
	buster, buster (lts)	2.4.59-1~deb10u4	fixed
	buster (security)	2.4.59-1~deb10u1	fixed
	bullseye	2.4.62-1~deb11u1	fixed
	bullseye (security)	2.4.62-1~deb11u2	fixed
	bookworm (security), bookworm	2.4.62-1~deb12u2	fixed
	sid, trixie	2.4.62-3	fixed
uwsgi (PTS)	jessie, jessie (lts)	2.0.7-1+deb8u5	vulnerable
	stretch (security)	2.0.14+20161117-3+deb9u5	vulnerable
	stretch (lts), stretch	2.0.14+20161117-3+deb9u7	fixed
	buster	2.0.18-1	vulnerable
	bullseye	2.0.19.1-7.1	vulnerable
	bookworm	2.0.21-5.1	vulnerable
	sid, trixie	2.0.28-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
apache2	source	jessie	2.4.10-10+deb8u26		ELA-1099-1
apache2	source	stretch	2.4.25-3+deb9u16		ELA-1098-1
apache2	source	buster	2.4.59-1~deb10u1		DLA-3818-1
apache2	source	bullseye	2.4.59-1~deb11u1		DSA-5662-1
apache2	source	bookworm	2.4.59-1~deb12u1		DSA-5662-1
apache2	source	(unstable)	2.4.59-1			1068412
uwsgi	source	jessie	(unfixed)	end-of-life
uwsgi	source	stretch	2.0.14+20161117-3+deb9u7		ELA-1095-1
uwsgi	source	(unstable)	(unfixed)	unimportant

Notes

https://www.openwall.com/lists/oss-security/2024/04/04/5
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-24795
https://github.com/apache/httpd/commit/a29723ce1af75eed0813c3717d3f6dee9b405ca8
Fix will trigger a regression at least in fossil see https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
Fossil fix here: https://fossil-scm.org/home/info/f4ffefe708793b03
uwsgi since 2.0.15-11 drops building the libapache2-mod-proxy-uwsgi{,-dbg}
packages which are provided by src:apache2 itself.
https://github.com/unbit/uwsgi/issues/2635
uwsgi since 2.0.15-11 drops building the libapache2-mod-proxy-uwsgi{,-dbg}
packages which are provided by src:apache2 itself.