[Bug 258988] [PATCH] www/apache34 - ritical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258988] [PATCH] www/apache34 - Critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)"
- Reply: bugzilla-noreply_a_freebsd.org: "maintainer-feedback requested: [Bug 258988] [PATCH] www/apache34 - Critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258988] [PATCH] www/apache24 - Critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258988] [PATCH] www/apache24 - Critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258988] [PATCH] www/apache24 - Critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258988] [PATCH] www/apache24 - Critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258988] [PATCH] www/apache24 - Critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 258988] [PATCH] www/apache24 - Critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 07 Oct 2021 16:59:50 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258988
Bug ID: 258988
Summary: [PATCH] www/apache34 - ritical: Path Traversal and
Remote Code Execution in Apache HTTP Server 2.4.49 and
2.4.50 (incomplete fix of CVE-2021-41773)
(CVE-2021-42013)
Product: Ports & Packages
Version: Latest
Hardware: Any
URL: http://httpd.apache.org/security/vulnerabilities_24.ht
ml
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: Individual Port(s)
Assignee: apache@FreeBSD.org
Reporter: cy@FreeBSD.org
Flags: maintainer-feedback?, merge-quarterly?
Created attachment 228501
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228501&action=edit
Update apache24 to 2.4.51
Fixed in Apache HTTP Server 2.4.51
critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49
and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50
was insufficient. An attacker could use a path traversal attack to map URLs to
files outside the directories configured by Alias-like directives.
If files outside of these directories are not protected by the usual
default configuration "require all denied", these requests can succeed. If CGI
scripts are also enabled for these aliased pathes, this could allow for remote
code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier
versions.
Acknowledgements: Reported by Juan Escobar from Dreamlab Technologies,
Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka
Reported to security team 2021-10-06
Update 2.4.51 released 2021-10-07
Affects 2.4.50, 2.4.49
--
You are receiving this mail because:
You are the assignee for the bug.