Mageia 8 MGASA-2021-0577 Critical: Apache Request Forgery and More
mageia
December 21, 2021
Updated apache packages fix security vulnerabilities: A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, ...
Summary
Updated apache packages fix security vulnerabilities:
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests
on) can cause a crash (NULL pointer dereference) or, for configurations
mixing forward and reverse proxy declarations, can allow for requests to
be directed to a declared Unix Domain Socket endpoint (Server Side Request
Forgery) (CVE-2021-44224).
A carefully crafted request body can cause a buffer overflow in the mod_lua
multipart parser (r:parsebody() called from Lua scripts). The Apache httpd
team is not aware of an exploit for the vulnerabilty though it might be
possible to craft one (CVE-2021-44790).
References
- https://bugs.mageia.org/show_bug.cgi?id=29791
- https://downloads.apache.org/httpd/Announcement2.4.html
- - https://httpd.apache.org/security/vulnerabilities_24.html
- https://www.cve.org/CVERecord?id=CVE-2021-44224
- https://www.cve.org/CVERecord?id=CVE-2021-44790
Topics Covered
Resolution
SRPMS
- 8/core/apache-2.4.52-1.mga8
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 21 Dec 2021
URL: https://advisories.mageia.org/MGASA-2021-0577.html
Type: security
CVE: CVE-2021-44224,
CVE-2021-44790
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!