Bug#989683: Fwd: [Bug 1968013] CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request
Le 10/06/2021 à 17:31, Yadd a écrit :
> Le 10/06/2021 à 14:07, Moritz Muehlenhoff a écrit :
>> On Thu, Jun 10, 2021 at 02:02:05PM +0200, Yadd wrote:
>>> Le 10/06/2021 à 12:16, Yadd a écrit :
>>>> Le 10/06/2021 à 11:51, Yadd a écrit :
>>>>> Hi,
>>>>>
>>>>> Hopefully there is an available-and-simple fix for #989562
>>>>> (CVE-2021-31618) !
>>>>>
>>>>> Cheers,
>>>>> Yadd
>>>>
>>>> Here is the debdiff
>>>
>>> Updated with all CVE fixes. Thanks to security-tracker and its
>>> maintainers ;-)
>>>
>>> Cheers,
>>> Yadd
>>
>>> diff --git a/debian/changelog b/debian/changelog
>>> index b6096f7d..41cb8b28 100644
>>> --- a/debian/changelog
>>> +++ b/debian/changelog
>>> @@ -1,3 +1,12 @@
>>> +apache2 (2.4.38-3+deb10u5) buster-security; urgency=medium
>>> +
>>> + * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
>>> + (Closes: #989562, CVE-2021-31618)
>>> + * Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
>>> + CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
>>
>> There's also https://security-tracker.debian.org/tracker/CVE-2019-17567
>> https://www.openwall.com/lists/oss-security/2021/06/10/2
>>
>> The CVE ID is from 2019, but it got public yesterday with the other fixes.
>>
>> Cheers,
>> Moritz
>
> Hi,
>
> this adds a non trivial patch (attached debdiff shows the difference
> with 2.4.46-6 which is already proposed in unblock issue (#989683). I
> had to modify significantly upstream patch. As proposed earlier, I think
> it should be more safe to upload Apache 2.4.48 in Bullseye instead of
> this increasingly deviant hybrid (already 7 CVEs patches!).
>
> @release-team: please consider this new debdiff as a pre-aproval for
> 2.4.46-7
>
> Cheers,
> Yadd
And autopkgtest finally failed, so I'm not able to fix CVE-2019-31618...
(patch uses some other changes introduced in 2.4.47 or 2.4.48)
Reply to: