Bug 258988 - [PATCH] www/apache24 - Critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)
Summary: [PATCH] www/apache24 - Critical: Path Traversal and Remote Code Execution in ...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Cy Schubert
URL: http://httpd.apache.org/security/vuln...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-07 16:59 UTC by Cy Schubert
Modified: 2023-01-17 20:56 UTC (History)
1 user (show)

See Also:
cy: maintainer-feedback+
cy: merge-quarterly+

Attachments
Update apache24 to 2.4.51 (839 bytes, patch)
2021-10-07 16:59 UTC, Cy Schubert 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cy Schubert freebsd_committer freebsd_triage 2021-10-07 16:59:50 UTC 
Created attachment 228501 [details]
Update apache24 to 2.4.51

Fixed in Apache HTTP Server 2.4.51

critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)

    It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

    If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.

    This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

    Acknowledgements: Reported by Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka
    Reported to security team	2021-10-06
    Update 2.4.51 released	2021-10-07
    Affects	2.4.50, 2.4.49
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-10-07 17:11:29 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e721865a668c739dc5be7f15790024682bbc1dda

commit e721865a668c739dc5be7f15790024682bbc1dda
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2021-10-07 17:02:52 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2021-10-07 17:05:28 +0000

    www/apache24: Update to 2.4.51

    Fixes: critical: Path Traversal and Remote Code Execution in Apache
    HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
    (CVE-2021-42013)

    PR:             258988
    MFH:            2021Q4
    Security:       CVE-2021-41773, CVE-2021-42013

 www/apache24/Makefile | 2 +-
 www/apache24/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-10-07 17:24:32 UTC 
A commit in branch 2021Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=185f1181c2d943d77f0c84abf0a4fed9f236e7f9

commit 185f1181c2d943d77f0c84abf0a4fed9f236e7f9
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2021-10-07 17:02:52 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2021-10-07 17:23:53 +0000

    www/apache24: Update to 2.4.51

    Fixes: critical: Path Traversal and Remote Code Execution in Apache
    HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
    (CVE-2021-42013)

    PR:             258988
    Security:       CVE-2021-41773, CVE-2021-42013
    (cherry picked from commit e721865a668c739dc5be7f15790024682bbc1dda)

 www/apache24/Makefile | 2 +-
 www/apache24/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 3 Cy Schubert freebsd_committer freebsd_triage 2021-10-07 18:27:43 UTC 
Emergency update committed.
Comment 4 Cy Schubert freebsd_committer freebsd_triage 2023-01-17 20:56:48 UTC 
Patch committed to my local tree. I will push shortly.