Bug#989562: apache2: CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
Le 08/06/2021 à 10:51, Yadd a écrit :
> Le 08/06/2021 à 08:25, Yadd a écrit :
>> Le 08/06/2021 à 07:58, Yadd a écrit :
>>> Le 07/06/2021 à 17:34, Salvatore Bonaccorso a écrit :
>>>> Source: apache2
>>>> Version: 2.4.47-1
>>>> Severity: grave
>>>> Tags: security upstream
>>>> Justification: user security hole
>>>> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>>>>
>>>> Hi,
>>>>
>>>> The following vulnerability was published for apache2.
>>>>
>>>> CVE-2021-31618[0]:
>>>> | httpd: NULL pointer dereference on specially crafted HTTP/2 request
>>>>
>>>> If you fix the vulnerability please also make sure to include the
>>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>>>
>>>> For further information see:
>>>>
>>>> [0] https://security-tracker.debian.org/tracker/CVE-2021-31618
>>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
>>>> [1] https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4
>>>> [2] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
>>>>
>>>> Please adjust the affected versions in the BTS as needed.
>>>>
>>>> Regards,
>>>> Salvatore
>>>
>>> Hi all,
>>>
>>> I can't import the whole patch for Bullseye since it is written for
>>> 2.4.47. I think the best solution is to import the whole http2 module in
>>> Bullseye. This gives the attached patch
>>>
>>> Cheers,
>>> Yadd
>>
>> We can also fix this for Buster using the same way (we did it previously
>> for 2.4.46). Here is the debdiff
>
> Update for Buster
I as wrong for both Bullseye and Buster: we can't import HTTP2 from
2.4.28 (too intrusive: SSL stack changed)
So I'll try to patch Apache but it seems not easy to do...
Cheers (and sorry),
Yadd
Reply to: