Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 816864 (CVE-2021-42013) - <www-servers/apache-2.4.51: remote code execution or directory traversal
Summary: <www-servers/apache-2.4.51: remote code execution or directory traversal
Status: CONFIRMED
Alias: CVE-2021-42013
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: C1 [glsa?]
Keywords:
Depends on: 816870
Blocks: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438
  Show dependency tree
 
Reported: 2021-10-07 16:04 UTC by John Helmert III
Modified: 2021-10-13 02:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-10-07 16:04:57 UTC
From URL:

"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.  

If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution."

Seems there's no fix mentioned.
Comment 1 Larry the Git Cow gentoo-dev 2021-10-07 16:08:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a94cc280cdb4f52c63e21b8dc24968e40536385

commit 4a94cc280cdb4f52c63e21b8dc24968e40536385
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-10-07 16:07:00 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-10-07 16:08:21 +0000

    www-servers/apache: bump to v2.4.51
    
    Bug: https://bugs.gentoo.org/816864
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.51.ebuild | 262 ++++++++++++++++++++++++++++++++
 2 files changed, 263 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-10-07 20:16:09 UTC
Please cleanup.
Comment 3 Larry the Git Cow gentoo-dev 2021-10-08 06:48:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fc4a67bce4f01ef844dd2cd720a348527f42197

commit 6fc4a67bce4f01ef844dd2cd720a348527f42197
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-08 06:48:04 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-08 06:48:04 +0000

    app-admin/apache-tools: Security cleanup
    
    Bug: https://bugs.gentoo.org/816864
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                   |   1 -
 app-admin/apache-tools/apache-tools-2.4.50.ebuild | 103 ----------------------
 2 files changed, 104 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2a21676c8017485107e53c6b15c9d12c5ac87b1

commit c2a21676c8017485107e53c6b15c9d12c5ac87b1
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-08 06:47:28 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-08 06:47:28 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/816864
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest             |   1 -
 www-servers/apache/apache-2.4.50.ebuild | 262 --------------------------------
 2 files changed, 263 deletions(-)