Bug 29530 - apache new security issues CVE-2021-41524 and CVE-2021-41773
Summary: apache new security issues CVE-2021-41524 and CVE-2021-41773
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-10-05 13:54 CEST by David Walser
Modified: 2021-10-06 16:39 CEST (History)
6 users (show)

See Also:
Source RPM: apache-2.4.49-1.1.mga8.src.rpm
CVE: CVE-2021-41524, CVE-2021-41773
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-10-05 13:54:51 CEST 
Apache has announced version 2.4.50 on October 4:
https://downloads.apache.org/httpd/Announcement2.4.html

It fixes two security issues:
https://downloads.apache.org/httpd/CHANGES_2.4.50
https://httpd.apache.org/security/vulnerabilities_24.html
David Walser 2021-10-05 13:55:26 CEST

CC: (none) => nicolas.salguero, smelror
Status comment: (none) => Fixed upstream in 2.4.50

Comment 1 Nicolas Salguero 2021-10-05 14:28:38 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

. (CVE-2021-41524)

. (CVE-2021-41773)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41524
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
https://downloads.apache.org/httpd/Announcement2.4.html
https://downloads.apache.org/httpd/CHANGES_2.4.50
https://httpd.apache.org/security/vulnerabilities_24.html
========================

Updated packages in core/updates_testing:
========================
apache-mod_proxy-2.4.50-1.mga8
apache-devel-2.4.50-1.mga8
apache-mod_http2-2.4.50-1.mga8
apache-mod_dav-2.4.50-1.mga8
apache-mod_ssl-2.4.50-1.mga8
apache-mod_cache-2.4.50-1.mga8
apache-mod_session-2.4.50-1.mga8
apache-mod_ldap-2.4.50-1.mga8
apache-mod_proxy_html-2.4.50-1.mga8
apache-mod_dbd-2.4.50-1.mga8
apache-mod_suexec-2.4.50-1.mga8
apache-htcacheclean-2.4.50-1.mga8
apache-mod_brotli-2.4.50-1.mga8
apache-mod_userdir-2.4.50-1.mga8
apache-2.4.50-1.mga8
apache-doc-2.4.50-1.mga8

from SRPM:
apache-2.4.50-1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.4.50 => (none)
CVE: (none) => CVE-2021-41524, CVE-2021-41773

Comment 2 David Walser 2021-10-05 14:30:30 CEST 
CVE descriptions missing...
Comment 3 Nicolas Salguero 2021-10-05 14:41:26 CEST 
Ooops, very sorry!

Suggested advisory:
========================

The updated packages fix a security vulnerability:

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. (CVE-2021-41524)

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. (CVE-2021-41773)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41524
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
https://downloads.apache.org/httpd/Announcement2.4.html
https://downloads.apache.org/httpd/CHANGES_2.4.50
https://httpd.apache.org/security/vulnerabilities_24.html
========================

Updated packages in core/updates_testing:
========================
apache-mod_proxy-2.4.50-1.mga8
apache-devel-2.4.50-1.mga8
apache-mod_http2-2.4.50-1.mga8
apache-mod_dav-2.4.50-1.mga8
apache-mod_ssl-2.4.50-1.mga8
apache-mod_cache-2.4.50-1.mga8
apache-mod_session-2.4.50-1.mga8
apache-mod_ldap-2.4.50-1.mga8
apache-mod_proxy_html-2.4.50-1.mga8
apache-mod_dbd-2.4.50-1.mga8
apache-mod_suexec-2.4.50-1.mga8
apache-htcacheclean-2.4.50-1.mga8
apache-mod_brotli-2.4.50-1.mga8
apache-mod_userdir-2.4.50-1.mga8
apache-2.4.50-1.mga8
apache-doc-2.4.50-1.mga8

from SRPM:
apache-2.4.50-1.mga8.src.rpm
Comment 4 Brian Rockwell 2021-10-06 04:55:56 CEST 
MGA8-32, Mate

The following 3 packages are going to be installed:

- apache-2.4.50-1.mga8.i586
- apache-htcacheclean-2.4.50-1.mga8.i586
- apache-mod_cache-2.4.50-1.mga8.i586


-- restarted http services


nextcloud working on test box as expected.

CC: (none) => brtians1

Comment 5 Brian Rockwell 2021-10-06 04:57:16 CEST 
MGA8-64, Mate

The following 3 packages are going to be installed:

- apache-2.4.50-1.mga8.x86_64
- apache-doc-2.4.50-1.mga8.noarch
- apache-mod_ssl-2.4.50-1.mga8.x86_64


-- recycled services

nextcloud working as expected.

Hoping someone else tries the other modules.
Comment 6 Herman Viaene 2021-10-06 11:56:27 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 29466 Comment 4.
http:localhost and https://localhost dsiplay "It works", after getting firefox to accept an exception on the check on https.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2021-10-06 13:48:50 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-10-06 16:08:26 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-10-06 16:39:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0461.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.