| frickler | there's a regression in the latest apache2 updates at least for focal and impish. a request for e.g. /path/xyz gets passed to an uwsgi backend as /pat//xyz | 04:32 |
|---|---|---|
| frickler | or to be more precise, I get SCRIPT_NAME="/pat" instead of "/path" and PATH_INFO="//abc" instead of "/abc" | 05:02 |
| frickler | I hope this is enough to reproduce https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945274 | 05:13 |
| ubottu | Launchpad bug 1945274 in apache2 (Ubuntu) "security updates are breaking mod_wsgi apps" [Undecided, New] | 05:13 |
| sbeattie | frickler: thanks. | 05:20 |
| frickler | so the culprit seems to be CVE-2021-36160.patch , if I build the focal version without that patch, the issue is resolved | 05:31 |
| ubottu | A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160> | 05:31 |
| sbeattie | yeah, that was the likely candidate. | 05:45 |
| frickler | so ... we are using this ProxyPass statement: ProxyPass "/placement" "unix:/var/run/uwsgi/placement-api.socket|uwsgi://uwsgi-uds-placement-api/" retry=0 | 06:09 |
| frickler | if I remove the trailing / in the uwsgi:// path, things get back to work. not sure if that's actually a bug in our deployment that was just uncovered by the CVE fix | 06:10 |
| frickler | it also only affects some apps, not everything | 06:10 |
| amurray | since there is no trailing / on "/placement" then I don't think there should be one on the uwsgi:// URI either | 06:18 |
| amurray | see https://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass - "If the first argument ends with a trailing /, the second argument should also end with a trailing /, and vice versa. Otherwise, the resulting requests to the backend may miss some needed slashes and do not deliver the expected results." | 06:21 |
| === cpaelzer_ is now known as cpaelzer | ||
| === cpaelzer_ is now known as cpaelzer | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!