816399 – (CVE-2021-41524, CVE-2021-41773) =www-servers/apache-2.4.49: Multiple vulnerabilities

Bug 816399 (CVE-2021-41524, CVE-2021-41773) - =www-servers/apache-2.4.49: Multiple vulnerabilities

Summary: =www-servers/apache-2.4.49: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2021-41524, CVE-2021-41773

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	816402
Blocks:
	Show dependency tree

Reported:	2021-10-05 10:02 UTC by Hanno Böck
Modified:	2022-08-14 00:15 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438 CVE-2021-42013
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2021-10-05 10:02:11 UTC

CVE-2021-41773 sounds like a severe vulnerability, possibly allowing access to files outside the webroot:
https://httpd.apache.org/security/vulnerabilities_24.html

Only 2.4.49 is affected, but we have that already as our current stable version.

2.4.50 is already in the tree, I think we should stabilize quickly.

Comment 1 Larry the Git Cow gentoo-dev

2021-10-05 20:43:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=633edec58613e0d0890ea9aeaf9438ffc2b948b0

commit 633edec58613e0d0890ea9aeaf9438ffc2b948b0
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-05 20:42:52 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-05 20:42:52 +0000

    app-admin/apache-tools: Security cleanup
    
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/813429
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                    |   2 -
 .../apache-tools/apache-tools-2.4.48-r1.ebuild     | 103 ---------------------
 app-admin/apache-tools/apache-tools-2.4.49.ebuild  | 103 ---------------------
 3 files changed, 208 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf620fd588cd625269e3b9fb604b18655bca2722

commit bf620fd588cd625269e3b9fb604b18655bca2722
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-05 20:42:19 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-05 20:42:19 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/813429
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest                |   2 -
 www-servers/apache/apache-2.4.48-r3.ebuild | 262 -----------------------------
 www-servers/apache/apache-2.4.49.ebuild    | 262 -----------------------------
 3 files changed, 526 deletions(-)

Comment 2 Larry the Git Cow gentoo-dev

2022-08-14 00:12:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7809350d99ef042a9f97a7a6edcb9ca5c28db476

commit 7809350d99ef042a9f97a7a6edcb9ca5c28db476
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 00:09:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-14 00:11:42 +0000

    [ GLSA 202208-20 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/813429
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/816864
    Bug: https://bugs.gentoo.org/829722
    Bug: https://bugs.gentoo.org/835131
    Bug: https://bugs.gentoo.org/850622
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-20.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

Comment 3 John Helmert III archtester

2022-08-14 00:15:33 UTC

GLSA released, all done!