CVE-2024-24795

Name	CVE-2024-24795
Description	HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5662-1
Debian Bugs	1068412

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apache2 (PTS)	jessie, jessie (lts)	2.4.10-10+deb8u25	vulnerable
	stretch (security)	2.4.25-3+deb9u13	vulnerable
	stretch (lts), stretch	2.4.25-3+deb9u15	vulnerable
	buster	2.4.38-3+deb10u8	vulnerable
	buster (security)	2.4.38-3+deb10u10	vulnerable
	bullseye	2.4.56-1~deb11u2	vulnerable
	bullseye (security)	2.4.59-1~deb11u1	fixed
	bookworm	2.4.57-2	vulnerable
	bookworm (security)	2.4.59-1~deb12u1	fixed
	trixie	2.4.58-1	vulnerable
	sid	2.4.59-1	fixed
uwsgi (PTS)	jessie, jessie (lts)	2.0.7-1+deb8u5	vulnerable
	stretch (security)	2.0.14+20161117-3+deb9u5	vulnerable
	stretch (lts), stretch	2.0.14+20161117-3+deb9u6	vulnerable
	buster	2.0.18-1	vulnerable
	bullseye	2.0.19.1-7.1	vulnerable
	bookworm	2.0.21-5.1	vulnerable
	trixie	2.0.24-2	vulnerable
	sid	2.0.25.1-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
apache2	source	bullseye	2.4.59-1~deb11u1		DSA-5662-1
apache2	source	bookworm	2.4.59-1~deb12u1		DSA-5662-1
apache2	source	(unstable)	2.4.59-1			1068412
uwsgi	source	jessie	(unfixed)	end-of-life
uwsgi	source	stretch	(unfixed)
uwsgi	source	(unstable)	(unfixed)	unimportant

Notes

https://www.openwall.com/lists/oss-security/2024/04/04/5
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-24795
https://github.com/apache/httpd/commit/a29723ce1af75eed0813c3717d3f6dee9b405ca8
Fix will trigger a regression at least in fossil see https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
Fossil fix here: https://fossil-scm.org/home/info/f4ffefe708793b03
uwsgi since 2.0.15-11 drops building the libapache2-mod-proxy-uwsgi{,-dbg}
packages which are provided by src:apache2 itself.
https://github.com/unbit/uwsgi/issues/2635
uwsgi since 2.0.15-11 drops building the libapache2-mod-proxy-uwsgi{,-dbg}
packages which are provided by src:apache2 itself.