[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libapache2-mod-proxy-uwsgi - CVE-2021-36160 regression, altered PATH_INFO



Hi,

Thanks for your answer but also thanks for the information about wrong configuration of apache.

I have tested both solution you explain here and both works good.

If I apply change in Apache configuration (like explain in the official documentation about "/") my app works good.
If I just apply your Debian patch, app works good also.

So, we wait for the debian patch for the oldest installation and I now can create a fix for Tracim project about wrong usage of "/" in apache2 configuration.

Thanks a lot for your solution :) :) :)

Best regards.
Philippe
Sys Admin Algoo

Le 2021-10-09 18:04, Sylvain Beucler a écrit :
Hi,

On 05/10/2021 18:41, Sylvain Beucler wrote:
forwarded 995368 https://bz.apache.org/bugzilla/show_bug.cgi?id=65616

The Apache developers say there's an incorrect configuration in the
first place.  For example,
ProxyPassMatch ^/ui uwsgi://127.0.0.1:8081/
should be
ProxyPassMatch ^/ui uwsgi://127.0.0.1:8081
following the warning about slashes in the documentation:
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass

However, they are currently considering an additional patch to restore
the previous (less strict) behavior.

Philippe, Josef, I prepared a build with the new patch, so you can test early:
https://people.debian.org/~beuc/lts/uwsgi/
https://people.debian.org/~beuc/lts/uwsgi/libapache2-mod-proxy-uwsgi_2.0.14+20161117-3+deb9u5_amd64.deb

I'm interested in your feedback.

Cheers!
Sylvain Beucler
Debian LTS Team


Reply to: