Apache has announced version 2.4.49 today (September 16) https://downloads.apache.org/httpd/Announcement2.4.html It fixes several security issues: https://downloads.apache.org/httpd/CHANGES_2.4.49 https://httpd.apache.org/security/vulnerabilities_24.html Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.4.49Whiteboard: (none) => MGA8TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. (CVE-2021-33193) Malformed requests may cause the server to dereference a NULL pointer. (CVE-2021-34798) A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). (CVE-2021-36160) ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. (CVE-2021-39275) A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. (CVE-2021-40438) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33193 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40438 https://downloads.apache.org/httpd/Announcement2.4.html https://downloads.apache.org/httpd/CHANGES_2.4.49 https://httpd.apache.org/security/vulnerabilities_24.html ======================== Updated packages in core/updates_testing: ======================== apache-mod_proxy-2.4.49-1.mga8 apache-devel-2.4.49-1.mga8 apache-mod_http2-2.4.49-1.mga8 apache-mod_dav-2.4.49-1.mga8 apache-mod_ssl-2.4.49-1.mga8 apache-mod_cache-2.4.49-1.mga8 apache-mod_session-2.4.49-1.mga8 apache-mod_ldap-2.4.49-1.mga8 apache-mod_proxy_html-2.4.49-1.mga8 apache-mod_dbd-2.4.49-1.mga8 apache-mod_suexec-2.4.49-1.mga8 apache-htcacheclean-2.4.49-1.mga8 apache-mod_brotli-2.4.49-1.mga8 apache-mod_userdir-2.4.49-1.mga8 apache-2.4.49-1.mga8 apache-doc-2.4.49-1.mga8 from SRPM: apache-2.4.49-1.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 2.4.49 => (none)CVE: (none) => CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438Source RPM: apache-2.4.48-2.mga9.src.rpm => apache-2.4.48-1.mga8.src.rpmVersion: Cauldron => 8CC: (none) => nicolas.salgueroWhiteboard: MGA8TOO => (none)
Fedora has issued an advisory for this today (September 20): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
Just testing that http:localhost and https://localhost work. Advisory committed to svn.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0439.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED