FEDORA-2021-2a10bc68a4 created by jorton 2 weeks ago for Fedora 34
stable

This update addresses CVE-2021-42013.

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.

How to install

sudo dnf upgrade --advisory=FEDORA-2021-2a10bc68a4

This update has been submitted for testing by jorton.

2 weeks ago

This update's test gating status has been changed to 'ignored'.

2 weeks ago

This update's test gating status has been changed to 'waiting'.

2 weeks ago

This update's test gating status has been changed to 'ignored'.

2 weeks ago
User Icon ptudor provided feedback 2 weeks ago
karma
User Icon imsedgar provided feedback 2 weeks ago
karma
User Icon ibims provided feedback 2 weeks ago
karma

This update has been submitted for stable by bodhi.

2 weeks ago

This update's test gating status has been changed to 'failed'.

2 weeks ago
User Icon imabug provided feedback 2 weeks ago
karma
Test Case HTTPd

FEDORA-2021-2a10bc68a4 ejected from the push because 'Required tests did not pass on this update'

2 weeks ago
User Icon chotaire commented & provided feedback 2 weeks ago
karma

Tested as working in production (http, https, virtual hosts w/ SNI, mod_ssl, ipv4 & ipv6, ssllabs test (A+), logging, mod_security, mod_cloudflare) etc, updated from 2.4.50:

Time : Sa 09 Okt 2021 09:57:14 CEST Return Code : Success Releasever: 34 dnf update httpd-2.4.51-1.fc34.x86_64.rpm httpd-filesystem-2.4.51-1.fc34.noarch.rpm httpd-tools-2.4.51-1.fc34.x86_64.rpm mod_ssl-2.4.51-1.fc34.x86_64.rpm mod_lua-2.4.51-1.fc34.x86_64.rpm httpd-devel-2.4.51-1.fc34.x86_64.rpm

This update has been submitted for stable by bodhi.

2 weeks ago

FEDORA-2021-2a10bc68a4 ejected from the push because 'Required tests did not pass on this update'

2 weeks ago
User Icon ibims commented & provided feedback 2 weeks ago

Could someone (who knows whats going on with this update) correct this please?

User Icon msrb commented & provided feedback 2 weeks ago

I started the missing test manually. Let's see...

This update's test gating status has been changed to 'passed'.

2 weeks ago

This update has been submitted for testing by mooninite.

2 weeks ago

This update's test gating status has been changed to 'ignored'.

2 weeks ago
User Icon carbenium provided feedback 2 weeks ago
karma

This update has been submitted for stable by bodhi.

2 weeks ago

This update's test gating status has been changed to 'passed'.

2 weeks ago

This update has been pushed to stable.

2 weeks ago
karma
Test Case HTTPd

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
7
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
2 weeks ago
in stable
2 weeks ago
BZ#2010758 CVE-2021-41773 httpd: path traversal and file disclosure vulnerability [fedora-all]
0
0
BZ#2011901 CVE-2021-42013 httpd: path traversal and remote code execution (incomplete fix of CVE-2021-41773) [fedora-all]
0
0

Automated Test Results

Test Cases

0 2 Test Case HTTPd