httpd-2.4.43

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

This seems to have two security fixes in it - CVE-2020-1927 (ineffective mitigation for CVE-2019-10098), and CVE-2020-1934

CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect

CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.39

Description:
Apache HTTP Server 2.4.0 to 2.4.41
Redirects configured with mod_rewrite that were intended to be self-referential
might be fooled by encoded newlines and redirect instead to an an unexpected
URL within the request URL.

Note: This is the same defect as CVE-2019-10098. The fix for CVE-2019-10098 was
ineffective.

Mitigation:
Anchor captures used as back-references, prefix self-referential redirects with
/ or scheme, host, and port.

Credit:
The issue was discovered by Fabrice Perez

References:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2020-1934: mod_proxy_ftp use of uninitialized value

CVE-2020-1934: mod_proxy_ftp use of uninitialized value

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0-2.4.41

Description:
Apache HTTP Server 2.4.0 to 2.4.41
mod_proxy_ftp may use uninitialized memory when proxying to a malicious
FTP server.
    
Mitigation:
Don't proxy to untrusted FTP servers prior to applying the fix.

Credit:
The issue was discovered by Chamal De Silva <chamal.desilva@gmail.com>

References:
https://httpd.apache.org/security/vulnerabilities_24.html

[Bruce Dubbs]

Fixed at revision 22930.

[Bruce Dubbs]

Milestone renamed

[Bruce Dubbs]

Milestone renamed