Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 813429 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438)

Summary: <www-servers/apache-2.4.49: multiple vulnerabilities (CVE-2021-{33193,34798,36160,39275,40438})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs, hydrapolic, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://httpd.apache.org/security/vulnerabilities_24.html
See Also: https://bugs.gentoo.org/show_bug.cgi?id=816399
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 815709, 816864    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-17 01:39:36 UTC
CVE-2021-33193:

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

CVE-2021-34798:

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-36160:

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

CVE-2021-39275:

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-40438:

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Please bump to 2.4.49.
Comment 1 Larry the Git Cow gentoo-dev 2021-09-18 07:03:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1e2c0178cad2e7b64deae625107ba91faee7ef3

commit e1e2c0178cad2e7b64deae625107ba91faee7ef3
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-09-18 07:02:34 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-09-18 07:03:22 +0000

    www-servers/apache: add 2.4.49
    
    Bug: https://bugs.gentoo.org/813429
    
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.49.ebuild | 262 ++++++++++++++++++++++++++++++++
 2 files changed, 263 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-18 07:36:05 UTC
Thanks! Please file a stable bug when ready and have it block this one.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-28 19:05:10 UTC
(In reply to Sam James from comment #2)
> Thanks! Please file a stable bug when ready and have it block this one.

ping
Comment 4 Larry the Git Cow gentoo-dev 2021-10-05 20:43:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=633edec58613e0d0890ea9aeaf9438ffc2b948b0

commit 633edec58613e0d0890ea9aeaf9438ffc2b948b0
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-05 20:42:52 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-05 20:42:52 +0000

    app-admin/apache-tools: Security cleanup
    
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/813429
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                    |   2 -
 .../apache-tools/apache-tools-2.4.48-r1.ebuild     | 103 ---------------------
 app-admin/apache-tools/apache-tools-2.4.49.ebuild  | 103 ---------------------
 3 files changed, 208 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf620fd588cd625269e3b9fb604b18655bca2722

commit bf620fd588cd625269e3b9fb604b18655bca2722
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-05 20:42:19 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-05 20:42:19 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/813429
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest                |   2 -
 www-servers/apache/apache-2.4.48-r3.ebuild | 262 -----------------------------
 www-servers/apache/apache-2.4.49.ebuild    | 262 -----------------------------
 3 files changed, 526 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-08-14 00:12:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7809350d99ef042a9f97a7a6edcb9ca5c28db476

commit 7809350d99ef042a9f97a7a6edcb9ca5c28db476
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 00:09:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-14 00:11:42 +0000

    [ GLSA 202208-20 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/813429
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/816864
    Bug: https://bugs.gentoo.org/829722
    Bug: https://bugs.gentoo.org/835131
    Bug: https://bugs.gentoo.org/850622
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-20.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 00:15:25 UTC
GLSA released, all done!