fungi | a new week, a new vuln... looks like apache announced cve-2021-44224 to oss-security today, though i don't see it in the ubuntu cve tracker yet. the bit where an attacker could coerce mod_proxy to connect to a local unix socket is particularly worrisome | 15:29 |
---|---|---|
ubottu | A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44224> | 15:29 |
mdeslaur | ugh | 15:45 |
teward | stupid q but when did the CVE get announced? Might not have yet been synced up into the tracker yet. | 15:51 |
teward | just stating the obvious | 15:51 |
teward | in other news: hell week #2 | 15:51 |
teward | (except that none of the APaches I use or control or touch are affected so yay?) | 15:51 |
mdeslaur | we need to manually add CVEs, I'm adding them now | 15:51 |
fungi | thanks! i see it on the tracker now | 16:05 |
mdeslaur | well, the mod_proxy issue isn't an easy backport, so it's not going to be soon | 16:15 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!