Opened 2 years ago

Closed 2 years ago

#15882 closed enhancement (fixed)

httpd-2.4.52

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: elevated Milestone: 11.1
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version. Looks like a security release.

Change History (3)

comment:1 by Douglas R. Reno, 2 years ago

CVE-2021-44224 

Severity: moderate

Description:

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).

This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

CVE-2021-44790 

Severity: high

Description:

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one.

This issue affects Apache HTTP Server 2.4.51 and earlier.

comment:2 by Bruce Dubbs, 2 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:3 by Bruce Dubbs, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at commit 13c75b20fa0b3bb3676908f6d54c00db2430f8bb 

Package updates.
    Update to httpd-2.4.52.
    Update to asciidoc-10.1.1.
    Update to icewm-2.9.3.
Note: See TracTickets for help on using tickets.