group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1945311] Re: Fix for CVE-2021-40438 breaks existing configs

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1945311@xxxxxxxxxxxxxxxxxx>
Date: Tue, 28 Sep 2021 13:24:29 -0000
Reply-to: Bug 1945311 <1945311@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package apache2 - 2.4.41-4ubuntu3.6

---------------
apache2 (2.4.41-4ubuntu3.6) focal-security; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Tue, 28 Sep 2021
07:00:45 -0400

** Changed in: apache2 (Ubuntu Focal)
       Status: Confirmed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40438

** Changed in: apache2 (Ubuntu Bionic)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1945311

Title:
  Fix for CVE-2021-40438 breaks existing configs

Status in apache2 package in Ubuntu:
  Confirmed
Status in apache2 source package in Trusty:
  Confirmed
Status in apache2 source package in Xenial:
  Confirmed
Status in apache2 source package in Bionic:
  Fix Released
Status in apache2 source package in Focal:
  Fix Released
Status in apache2 source package in Hirsute:
  Confirmed
Status in apache2 source package in Impish:
  Confirmed

Bug description:
  The patches introduced for CVE-2021-40438 break existing configs.

  For example on Plesk:
  https://support.plesk.com/hc/en-us/articles/4407366133906-Website-suddenly-started-to-show-500-error-AH10292-Invalid-proxy-UDS-filename

  Upstream pushed some additional fixes for it:
  https://github.com/apache/httpd/commit/6d476a66956a6a81ac8e1f7f419ef0697b9a0b76
  https://github.com/apache/httpd/commit/6d76cbb9100bf34250ffba0bded08e075380be88

  In Debian I guess they will be included also according to
  https://salsa.debian.org/apache-
  team/apache2/-/commit/e36582e866cd7e87600235ff9fcd47b960899e24

  So I think it might be good to include those 2 into Ubuntu as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945311/+subscriptions