stable

httpd-2.4.51-1.fc34

FEDORA-2021-2a10bc68a4 created by jorton 3 years ago for Fedora 34

This update addresses CVE-2021-42013.

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2021-2a10bc68a4

This update has been submitted for testing by jorton.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago

This update's test gating status has been changed to 'waiting'.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago
User Icon ptudor provided feedback 3 years ago
karma
User Icon imsedgar provided feedback 3 years ago
karma
User Icon ibims provided feedback 3 years ago
karma

This update has been submitted for stable by bodhi.

3 years ago

This update's test gating status has been changed to 'failed'.

3 years ago
User Icon imabug provided feedback 3 years ago
karma
Test Case HTTPd

FEDORA-2021-2a10bc68a4 ejected from the push because 'Required tests did not pass on this update'

3 years ago
User Icon chotaire commented & provided feedback 3 years ago
karma

Tested as working in production (http, https, virtual hosts w/ SNI, mod_ssl, ipv4 & ipv6, ssllabs test (A+), logging, mod_security, mod_cloudflare) etc, updated from 2.4.50:

Time : Sa 09 Okt 2021 09:57:14 CEST Return Code : Success Releasever: 34 dnf update httpd-2.4.51-1.fc34.x86_64.rpm httpd-filesystem-2.4.51-1.fc34.noarch.rpm httpd-tools-2.4.51-1.fc34.x86_64.rpm mod_ssl-2.4.51-1.fc34.x86_64.rpm mod_lua-2.4.51-1.fc34.x86_64.rpm httpd-devel-2.4.51-1.fc34.x86_64.rpm

This update has been submitted for stable by bodhi.

3 years ago

FEDORA-2021-2a10bc68a4 ejected from the push because 'Required tests did not pass on this update'

3 years ago
User Icon ibims commented & provided feedback 3 years ago

Could someone (who knows whats going on with this update) correct this please?

User Icon msrb commented & provided feedback 3 years ago

I started the missing test manually. Let's see...

This update's test gating status has been changed to 'passed'.

3 years ago

This update has been submitted for testing by mooninite.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago
User Icon carbenium provided feedback 3 years ago
karma

This update has been submitted for stable by bodhi.

3 years ago

This update's test gating status has been changed to 'passed'.

3 years ago

This update has been pushed to stable.

3 years ago
karma
Test Case HTTPd

Please log in to add feedback.

Metadata
Type
security
Severity
high
Karma
7
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
3 years ago
in stable
3 years ago
BZ#2010758 CVE-2021-41773 httpd: path traversal and file disclosure vulnerability [fedora-all]
0
0
BZ#2011901 CVE-2021-42013 httpd: path traversal and remote code execution (incomplete fix of CVE-2021-41773) [fedora-all]
0
0

Automated Test Results

Test Cases

0 2 Test Case HTTPd