Ubuntu
apache2 package

security updates are breaking mod_wsgi apps

Bug #1945274 reported by Dr. Jens Harbott
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Seen with both 2.4.48-3.1ubuntu2 for impish and 2.4.41-4ubuntu3.5 for focal.

Steps to reproduce:
- Have a request log for your app as in https://modwsgi.readthedocs.io/en/master/user-guides/debugging-techniques.html#tracking-request-and-response
- App deployed at /app
- curl http://host/app/path

Expected (working fine with e.g. 2.4.41-4ubuntu3.4):
- App logs SCRIPT_NAME="/app" and PATH_INFO="/path"

Seen with latest pkgs:
- App logs SCRIPT_NAME="/ap" and PATH_INFO="//path"

CVE References

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

so the culprit seems to be CVE-2021-36160.patch , if I build the focal version without that patch, the issue is resolved

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

We are using

ProxyPass "/placement" "unix:/var/run/uwsgi/placement-api.socket|uwsgi://uwsgi-uds-placement-api/" retry=0

If I replace that by

ProxyPass "/placement" "unix:/var/run/uwsgi/placement-api.socket|uwsgi://uwsgi-uds-placement-api" retry=0

things are working fine again.

Revision history for this message
Alex Murray (alexmurray) wrote :

Ok so whilst this worked in the past, this was more by chance than by design since as documented upstream[1]:

 If the first argument ends with a trailing /, the second argument should also end with a trailing /, and vice versa. Otherwise, the resulting requests to the backend may miss some needed slashes and do not deliver the expected results.

As such I don't think this should be considered a regression due to the update in apache2 for CVE-2021-36160.

[1] https://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass

Changed in apache2 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.