Fix for CVE-2021-40438 breaks existing configs

Bug #1945311 reported by Jean-Louis Dupond
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
High
Marc Deslauriers
Trusty
Undecided
Unassigned
Xenial
High
Leonidas S. Barbosa
Bionic
High
Marc Deslauriers
Focal
High
Marc Deslauriers
Hirsute
High
Marc Deslauriers
Impish
High
Marc Deslauriers

Bug Description

The patches introduced for CVE-2021-40438 break existing configs.

For example on Plesk:
https://support.plesk.com/hc/en-us/articles/4407366133906-Website-suddenly-started-to-show-500-error-AH10292-Invalid-proxy-UDS-filename

Upstream pushed some additional fixes for it:
https://github.com/apache/httpd/commit/6d476a66956a6a81ac8e1f7f419ef0697b9a0b76
https://github.com/apache/httpd/commit/6d76cbb9100bf34250ffba0bded08e075380be88

In Debian I guess they will be included also according to https://salsa.debian.org/apache-team/apache2/-/commit/e36582e866cd7e87600235ff9fcd47b960899e24

So I think it might be good to include those 2 into Ubuntu as well.

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in apache2 (Ubuntu Bionic):
status: New → Confirmed
Changed in apache2 (Ubuntu Focal):
status: New → Confirmed
Changed in apache2 (Ubuntu Hirsute):
status: New → Confirmed
Changed in apache2 (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Focal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Hirsute):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Impish):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Here are the 2.4.x backports:

https://github.com/apache/httpd/commit/6e768a811c59ca6a0769b72681aaef381823339f
https://github.com/apache/httpd/commit/81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c

I will prepare updates that add those commits and will release them likely today.

Changed in apache2 (Ubuntu Bionic):
importance: Undecided → High
Changed in apache2 (Ubuntu Focal):
importance: Undecided → High
Changed in apache2 (Ubuntu Hirsute):
importance: Undecided → High
Changed in apache2 (Ubuntu Impish):
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu Trusty):
status: New → Confirmed
Changed in apache2 (Ubuntu Xenial):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The updates are currently building in the security team PPA here, in case someone wants to try them before they are published:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Revision history for this message
Aoshi (aoshi) wrote (last edit ):

I've installed the focal packages (apache2/apache2-bin/apache2-data/apache2-utils) and can confirm that this fixes the issue (with Plesk)

Revision history for this message
Ante Karamatić (ivoks) wrote :

Packages from PPA fix the problem on 18.04.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.41-4ubuntu3.6

---------------
apache2 (2.4.41-4ubuntu3.6) focal-security; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 07:00:45 -0400

Changed in apache2 (Ubuntu Focal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.18

---------------
apache2 (2.4.29-1ubuntu4.18) bionic-security; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 07:01:16 -0400

Changed in apache2 (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.46-4ubuntu1.3

---------------
apache2 (2.4.46-4ubuntu1.3) hirsute-security; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 06:57:42 -0400

Changed in apache2 (Ubuntu Hirsute):
status: Confirmed → Fix Released
Changed in apache2 (Ubuntu Impish):
status: Confirmed → Fix Committed
Changed in apache2 (Ubuntu Xenial):
status: Confirmed → Fix Released
Changed in apache2 (Ubuntu Trusty):
status: Confirmed → Invalid
Changed in apache2 (Ubuntu Xenial):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.48-3.1ubuntu3

---------------
apache2 (2.4.48-3.1ubuntu3) impish; urgency=medium

  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
      rules in modules/mappers/mod_rewrite.c.
    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
      hostname in modules/mappers/mod_rewrite.c,
      modules/proxy/proxy_util.c.

 -- Marc Deslauriers <email address hidden> Tue, 28 Sep 2021 08:52:26 -0400

Changed in apache2 (Ubuntu Impish):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers