Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829722 (CVE-2021-44224, CVE-2021-44790) - <www-servers/apache-2.4.52: multiple vulnerabilities
Summary: <www-servers/apache-2.4.52: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-44224, CVE-2021-44790
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://mail-archives.apache.org/mod_m...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 829787
Blocks:
  Show dependency tree
 
Reported: 2021-12-20 17:56 UTC by Alexandra Parker
Modified: 2022-11-01 21:06 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandra Parker 2021-12-20 17:56:22 UTC
[CVE-2021-44790]

Severity: high

Description:

A carefully crafted request body can cause a buffer overflow in the 
mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerability 
though it might be possible to craft one.

This issue affects Apache HTTP Server 2.4.51 and earlier.


[CVE-2021-44224]

Severity: moderate

Description:

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests 
on) can cause a crash (NULL pointer dereference) or, for configurations 
mixing forward and reverse proxy declarations, can allow for requests to 
be directed to a declared Unix Domain Socket endpoint (Server Side 
Request Forgery).

This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

Reproducible: Always
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-20 19:23:32 UTC
Thank you for reporting!

Maintainer, please bump.
Comment 2 Tomáš Mózes 2021-12-21 06:29:07 UTC
Just to note, tested on ~amd64, builds fine:

--- /usr/portage/www-servers/apache/apache-2.4.51-r2.ebuild     2021-12-11 10:10:12.000000000 +0000
+++ apache-2.4.52.ebuild        2021-12-21 06:24:04.690878075 +0000
@@ -146,8 +146,6 @@
 RDEPEND+=" apache2_modules_lua? ( ${LUA_DEPS} )"
 REQUIRED_USE+=" apache2_modules_lua? ( ${LUA_REQUIRED_USE} )"
 
-PATCHES=( "${FILESDIR}/apache-2.4.51-mpm-itk.patch" )
-
 pkg_setup() {
        # dependend critical modules which are not allowed in global scope due
        # to USE flag conditionals (bug #499260)
Comment 3 Larry the Git Cow gentoo-dev 2021-12-21 11:02:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e552b498c45cdc084643a4ead21571fa1e7733a2

commit e552b498c45cdc084643a4ead21571fa1e7733a2
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-12-21 11:01:40 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-12-21 11:02:00 +0000

    app-admin/apache-tools: Security bump to version 2.4.52
    
    Bug: https://bugs.gentoo.org/829722
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                   |   1 +
 app-admin/apache-tools/apache-tools-2.4.52.ebuild | 101 ++++++++++++++++++++++
 2 files changed, 102 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63fd24e07333922857e74eaf461b60cf6cf1495e

commit 63fd24e07333922857e74eaf461b60cf6cf1495e
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-12-21 11:01:30 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-12-21 11:02:00 +0000

    www-servers/apache: Security bump to version 2.4.52
    
    Bug: https://bugs.gentoo.org/829722
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.52.ebuild | 262 ++++++++++++++++++++++++++++++++
 2 files changed, 263 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-18 01:15:06 UTC
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2022-03-18 07:04:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a4578dd790e6f86332637a8679e740552728b2e

commit 6a4578dd790e6f86332637a8679e740552728b2e
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2022-03-18 07:03:32 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2022-03-18 07:03:32 +0000

    www-servers/apache: cleanup
    
    Bug: https://bugs.gentoo.org/829722
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/apache/Manifest                |   1 -
 www-servers/apache/apache-2.4.51-r2.ebuild | 261 -----------------------------
 2 files changed, 262 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2022-08-14 00:11:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7809350d99ef042a9f97a7a6edcb9ca5c28db476

commit 7809350d99ef042a9f97a7a6edcb9ca5c28db476
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 00:09:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-14 00:11:42 +0000

    [ GLSA 202208-20 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/813429
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/816864
    Bug: https://bugs.gentoo.org/829722
    Bug: https://bugs.gentoo.org/835131
    Bug: https://bugs.gentoo.org/850622
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-20.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 00:15:47 UTC
GLSA released, all done!