Bug 816399 (CVE-2021-41524, CVE-2021-41773)

Summary:	=www-servers/apache-2.4.49: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	apache-bugs, hydrapolic
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=813429 https://bugs.gentoo.org/show_bug.cgi?id=816864
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	816402
Bug Blocks:

Description Hanno Böck gentoo-dev

2021-10-05 10:02:11 UTC

CVE-2021-41773 sounds like a severe vulnerability, possibly allowing access to files outside the webroot:
https://httpd.apache.org/security/vulnerabilities_24.html

Only 2.4.49 is affected, but we have that already as our current stable version.

2.4.50 is already in the tree, I think we should stabilize quickly.

Comment 1 Larry the Git Cow gentoo-dev

2021-10-05 20:43:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=633edec58613e0d0890ea9aeaf9438ffc2b948b0

commit 633edec58613e0d0890ea9aeaf9438ffc2b948b0
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-05 20:42:52 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-05 20:42:52 +0000

    app-admin/apache-tools: Security cleanup
    
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/813429
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                    |   2 -
 .../apache-tools/apache-tools-2.4.48-r1.ebuild     | 103 ---------------------
 app-admin/apache-tools/apache-tools-2.4.49.ebuild  | 103 ---------------------
 3 files changed, 208 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf620fd588cd625269e3b9fb604b18655bca2722

commit bf620fd588cd625269e3b9fb604b18655bca2722
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-05 20:42:19 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-05 20:42:19 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/813429
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest                |   2 -
 www-servers/apache/apache-2.4.48-r3.ebuild | 262 -----------------------------
 www-servers/apache/apache-2.4.49.ebuild    | 262 -----------------------------
 3 files changed, 526 deletions(-)

Comment 2 Larry the Git Cow gentoo-dev

2022-08-14 00:12:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7809350d99ef042a9f97a7a6edcb9ca5c28db476

commit 7809350d99ef042a9f97a7a6edcb9ca5c28db476
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 00:09:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-14 00:11:42 +0000

    [ GLSA 202208-20 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/813429
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/816864
    Bug: https://bugs.gentoo.org/829722
    Bug: https://bugs.gentoo.org/835131
    Bug: https://bugs.gentoo.org/850622
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-20.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

Comment 3 John Helmert III archtester

2022-08-14 00:15:33 UTC

GLSA released, all done!