Summary: | <www-servers/apache-2.2.21-r1 mod_proxy Reverse Proxy Mode Security Bypass (CVE-2011-3368) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | apache-bugs, axiator, pva |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/46288/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 368651 |
Description
Agostino Sarubbo
2011-10-06 12:49:02 UTC
CVE-2011-3368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368): The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. Patch was added in apache-2.2.21-r1. Also I've added dependency on >=apr-1.4.5 for moderate: apr_fnmatch flaw leads to mod_autoindex remote DoS CVE-2011-0419 (bug 368651). Also a number of bugs were fixed: Use extra_{,started}commands, bug #385637 by Martin von Gagern. Check config during restart, bug #384997 wrt Christian Ruppert (idl0r). Don't use pidof to check for running instances to make it more ConTainer friendly, bug #384267 by Stef Simoens. Updated defaults in 00_default_settings.conf to better match upstream intentions, bug #387157 by Steve Dibb. Arch teams, please, stabilize: www-servers/apache-2.2.21-r1 dev-libs/apr-1.4.5 dev-libs/apr-util-1.3.12 looks ok on a server. amd64 ok looks ok on a desktop + 19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apr-1.4.5.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #385859. + 19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apr-util-1.3.12.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #385859. + 19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apache-2.2.21-r1.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #385859. Stable for HPPA. ppc/ppc64 stable arm stable x86 stable alpha/ia64/s390/sh/sparc stable Thanks all. Added glsa vote request. Thanks, everyone. GLSA Vote: yes. Vote: Yes. GLSA request filed. This issue was resolved and addressed in GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml by GLSA coordinator Tobias Heinlein (keytoaster). |