813429 – (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438) <www-servers/apache-2.4.49: multiple vulnerabilities (CVE-2021-{33193,34798,36160,39275,40438})

Bug 813429 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438) - <www-servers/apache-2.4.49: multiple vulnerabilities (CVE-2021-{33193,34798,36160,39275,40438})

Summary: <www-servers/apache-2.4.49: multiple vulnerabilities (CVE-2021-{33193,34798,3...

Status:	RESOLVED FIXED

Alias:	CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://httpd.apache.org/security/vuln...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	815709 CVE-2021-42013
Blocks:
	Show dependency tree

Reported:	2021-09-17 01:39 UTC by John Helmert III
Modified:	2022-08-14 00:15 UTC (History)
CC List:	3 users (show)

See Also:	CVE-2021-41524, CVE-2021-41773
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-09-17 01:39:36 UTC

CVE-2021-33193:

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

CVE-2021-34798:

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-36160:

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

CVE-2021-39275:

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-40438:

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Please bump to 2.4.49.

Comment 1 Larry the Git Cow gentoo-dev

2021-09-18 07:03:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1e2c0178cad2e7b64deae625107ba91faee7ef3

commit e1e2c0178cad2e7b64deae625107ba91faee7ef3
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-09-18 07:02:34 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-09-18 07:03:22 +0000

    www-servers/apache: add 2.4.49
    
    Bug: https://bugs.gentoo.org/813429
    
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.49.ebuild | 262 ++++++++++++++++++++++++++++++++
 2 files changed, 263 insertions(+)

Comment 2 Sam James archtester

2021-09-18 07:36:05 UTC

Thanks! Please file a stable bug when ready and have it block this one.

Comment 3 Sam James archtester

2021-09-28 19:05:10 UTC

(In reply to Sam James from comment #2)
> Thanks! Please file a stable bug when ready and have it block this one.

ping

Comment 4 Larry the Git Cow gentoo-dev

2021-10-05 20:43:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=633edec58613e0d0890ea9aeaf9438ffc2b948b0

commit 633edec58613e0d0890ea9aeaf9438ffc2b948b0
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-05 20:42:52 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-05 20:42:52 +0000

    app-admin/apache-tools: Security cleanup
    
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/813429
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                    |   2 -
 .../apache-tools/apache-tools-2.4.48-r1.ebuild     | 103 ---------------------
 app-admin/apache-tools/apache-tools-2.4.49.ebuild  | 103 ---------------------
 3 files changed, 208 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf620fd588cd625269e3b9fb604b18655bca2722

commit bf620fd588cd625269e3b9fb604b18655bca2722
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-05 20:42:19 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-05 20:42:19 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/813429
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest                |   2 -
 www-servers/apache/apache-2.4.48-r3.ebuild | 262 -----------------------------
 www-servers/apache/apache-2.4.49.ebuild    | 262 -----------------------------
 3 files changed, 526 deletions(-)

Comment 5 Larry the Git Cow gentoo-dev

2022-08-14 00:12:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7809350d99ef042a9f97a7a6edcb9ca5c28db476

commit 7809350d99ef042a9f97a7a6edcb9ca5c28db476
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 00:09:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-14 00:11:42 +0000

    [ GLSA 202208-20 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/813429
    Bug: https://bugs.gentoo.org/816399
    Bug: https://bugs.gentoo.org/816864
    Bug: https://bugs.gentoo.org/829722
    Bug: https://bugs.gentoo.org/835131
    Bug: https://bugs.gentoo.org/850622
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-20.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

Comment 6 John Helmert III archtester

2022-08-14 00:15:25 UTC

GLSA released, all done!