829722 – (CVE-2021-44224, CVE-2021-44790) <www-servers/apache-2.4.52: multiple vulnerabilities

Bug 829722 (CVE-2021-44224, CVE-2021-44790) - <www-servers/apache-2.4.52: multiple vulnerabilities

Summary: <www-servers/apache-2.4.52: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2021-44224, CVE-2021-44790

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://mail-archives.apache.org/mod_m...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	829787
Blocks:
	Show dependency tree

Reported:	2021-12-20 17:56 UTC by Alexandra Parker
Modified:	2022-11-01 21:06 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandra Parker 2021-12-20 17:56:22 UTC

[CVE-2021-44790]

Severity: high

Description:

A carefully crafted request body can cause a buffer overflow in the 
mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerability 
though it might be possible to craft one.

This issue affects Apache HTTP Server 2.4.51 and earlier.


[CVE-2021-44224]

Severity: moderate

Description:

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests 
on) can cause a crash (NULL pointer dereference) or, for configurations 
mixing forward and reverse proxy declarations, can allow for requests to 
be directed to a declared Unix Domain Socket endpoint (Server Side 
Request Forgery).

This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

Reproducible: Always

Comment 1 John Helmert III archtester

2021-12-20 19:23:32 UTC

Thank you for reporting!

Maintainer, please bump.

Comment 2 Tomáš Mózes 2021-12-21 06:29:07 UTC

Just to note, tested on ~amd64, builds fine:

--- /usr/portage/www-servers/apache/apache-2.4.51-r2.ebuild     2021-12-11 10:10:12.000000000 +0000
+++ apache-2.4.52.ebuild        2021-12-21 06:24:04.690878075 +0000
@@ -146,8 +146,6 @@
 RDEPEND+=" apache2_modules_lua? ( ${LUA_DEPS} )"
 REQUIRED_USE+=" apache2_modules_lua? ( ${LUA_REQUIRED_USE} )"
 
-PATCHES=( "${FILESDIR}/apache-2.4.51-mpm-itk.patch" )
-
 pkg_setup() {
        # dependend critical modules which are not allowed in global scope due
        # to USE flag conditionals (bug #499260)

Comment 3 Larry the Git Cow gentoo-dev

2021-12-21 11:02:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e552b498c45cdc084643a4ead21571fa1e7733a2

commit e552b498c45cdc084643a4ead21571fa1e7733a2
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-12-21 11:01:40 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-12-21 11:02:00 +0000

    app-admin/apache-tools: Security bump to version 2.4.52
    
    Bug: https://bugs.gentoo.org/829722
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                   |   1 +
 app-admin/apache-tools/apache-tools-2.4.52.ebuild | 101 ++++++++++++++++++++++
 2 files changed, 102 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63fd24e07333922857e74eaf461b60cf6cf1495e

commit 63fd24e07333922857e74eaf461b60cf6cf1495e
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-12-21 11:01:30 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-12-21 11:02:00 +0000

    www-servers/apache: Security bump to version 2.4.52
    
    Bug: https://bugs.gentoo.org/829722
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.52.ebuild | 262 ++++++++++++++++++++++++++++++++
 2 files changed, 263 insertions(+)

Comment 4 John Helmert III archtester

2022-03-18 01:15:06 UTC

Please cleanup

Comment 5 Larry the Git Cow gentoo-dev

2022-03-18 07:04:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a4578dd790e6f86332637a8679e740552728b2e

commit 6a4578dd790e6f86332637a8679e740552728b2e
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2022-03-18 07:03:32 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2022-03-18 07:03:32 +0000

    www-servers/apache: cleanup
    
    Bug: https://bugs.gentoo.org/829722
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/apache/Manifest                |   1 -
 www-servers/apache/apache-2.4.51-r2.ebuild | 261 -----------------------------
 2 files changed, 262 deletions(-)

Comment 6 Larry the Git Cow gentoo-dev

2022-08-14 00:11:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7809350d99ef042a9f97a7a6edcb9ca5c28db476

commit 7809350d99ef042a9f97a7a6edcb9ca5c28db476
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 00:09:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-14 00:11:42 +0000

    [ GLSA 202208-20 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/813429
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/816864
    Bug: https://bugs.gentoo.org/829722
    Bug: https://bugs.gentoo.org/835131
    Bug: https://bugs.gentoo.org/850622
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-20.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

Comment 7 John Helmert III archtester

2022-08-14 00:15:47 UTC

GLSA released, all done!