Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 816864 (CVE-2021-42013) - <www-servers/apache-2.4.51: remote code execution or directory traversal
Summary: <www-servers/apache-2.4.51: remote code execution or directory traversal
Status: RESOLVED FIXED
Alias: CVE-2021-42013
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: C1 [glsa+]
Keywords:
Depends on: 816870
Blocks: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438
  Show dependency tree
 
Reported: 2021-10-07 16:04 UTC by John Helmert III
Modified: 2022-08-14 00:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-07 16:04:57 UTC
From URL:

"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.  

If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution."

Seems there's no fix mentioned.
Comment 1 Larry the Git Cow gentoo-dev 2021-10-07 16:08:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a94cc280cdb4f52c63e21b8dc24968e40536385

commit 4a94cc280cdb4f52c63e21b8dc24968e40536385
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-10-07 16:07:00 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-10-07 16:08:21 +0000

    www-servers/apache: bump to v2.4.51
    
    Bug: https://bugs.gentoo.org/816864
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.51.ebuild | 262 ++++++++++++++++++++++++++++++++
 2 files changed, 263 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-07 20:16:09 UTC
Please cleanup.
Comment 3 Larry the Git Cow gentoo-dev 2021-10-08 06:48:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fc4a67bce4f01ef844dd2cd720a348527f42197

commit 6fc4a67bce4f01ef844dd2cd720a348527f42197
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-08 06:48:04 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-08 06:48:04 +0000

    app-admin/apache-tools: Security cleanup
    
    Bug: https://bugs.gentoo.org/816864
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                   |   1 -
 app-admin/apache-tools/apache-tools-2.4.50.ebuild | 103 ----------------------
 2 files changed, 104 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2a21676c8017485107e53c6b15c9d12c5ac87b1

commit c2a21676c8017485107e53c6b15c9d12c5ac87b1
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-08 06:47:28 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-08 06:47:28 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/816864
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest             |   1 -
 www-servers/apache/apache-2.4.50.ebuild | 262 --------------------------------
 2 files changed, 263 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2022-08-14 00:12:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7809350d99ef042a9f97a7a6edcb9ca5c28db476

commit 7809350d99ef042a9f97a7a6edcb9ca5c28db476
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 00:09:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-14 00:11:42 +0000

    [ GLSA 202208-20 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/813429
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/816864
    Bug: https://bugs.gentoo.org/829722
    Bug: https://bugs.gentoo.org/835131
    Bug: https://bugs.gentoo.org/850622
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-20.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 00:15:41 UTC
GLSA released, all done!