Fix for CVE-2024-38474 also blocks %3f in appended query strings
Bug #2103723 reported by
Christoph Herndler
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Bionic |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Focal |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Jammy |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Noble |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Oracular |
Fix Released
|
Undecided
|
Leonidas S. Barbosa |
Bug Description
The fix introduced in https:/
" * SECURITY UPDATE: Substitution encoding issue in mod_rewrite
- debian/
handling in modules/
- CVE-2024-38474
"
is causing issues by being not specific enough and blocking lots of requests not exposed to the cve.
It has already been fixed in apache2 2.4.63
https:/
"Bug 69197 - Fix for CVE-2024-38474 also blocks %3f in appended query strings"
Please port the changes to the detection code from mainline apache2.
Thank you
CVE References
Changed in apache2 (Ubuntu Jammy): | |
status: | New → Confirmed |
Changed in apache2 (Ubuntu Noble): | |
status: | New → Confirmed |
Changed in apache2 (Ubuntu Oracular): | |
status: | New → Confirmed |
Changed in apache2 (Ubuntu): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in apache2 (Ubuntu Xenial): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in apache2 (Ubuntu Bionic): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in apache2 (Ubuntu Jammy): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in apache2 (Ubuntu Noble): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in apache2 (Ubuntu Oracular): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in apache2 (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in apache2 (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in apache2 (Ubuntu Noble): | |
status: | Confirmed → In Progress |
Changed in apache2 (Ubuntu Oracular): | |
status: | Confirmed → In Progress |
Changed in apache2 (Ubuntu Focal): | |
status: | Confirmed → In Progress |
Changed in apache2 (Ubuntu Jammy): | |
status: | Confirmed → In Progress |
Changed in apache2 (Ubuntu): | |
assignee: | Leonidas S. Barbosa (leosilvab) → nobody |
Changed in apache2 (Ubuntu Xenial): | |
status: | In Progress → Fix Released |
Changed in apache2 (Ubuntu Bionic): | |
status: | In Progress → Fix Released |
To post a comment you must log in.
There were some releases after 2.4.41-4ubuntu3.19, but they don't seem to address this specific regression.
We have:
https:/ /launchpad. net/ubuntu/ +source/ apache2/ 2.4.41- 4ubuntu3. 20 patches/ CVE-2024- 38477-2. patch: restart from the original URL http2/mod_ proxy_http2. c.
* SECURITY REGRESSION: regression when proxying http2 (LP: #2072648)
- debian/
on reconnect in modules/
https:/ /launchpad. net/ubuntu/ +source/ apache2/ 2.4.41- 4ubuntu3. 21 patches/ CVE-2024- 40725.patch: copy the trusted flag from the http/http_ request. c.
* SECURITY UPDATE: source code disclosure with handlers configured via
AddType
- debian/
subrequest in modules/
- CVE-2024-40725
And this one is in focal-proposed: /launchpad. net/ubuntu/ +source/ apache2/ 2.4.41- 4ubuntu3. 22 apache2- maintscript- helper: Allow execution when called from a
https:/
* d/debhelper/
postinst script through a trigger (i.e., postinst triggered).
Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450)
I checked the code in 2.4.41-4ubuntu3.22 and the patch[1] doesn't seem to be there indeed. I'll flag this bug here to the security team.
Note I couldn't get access to the svn commit, as it returned a 403[2]. Briefly checking the github mirror, it seems to be this commit[3].
1. https:/ /bz.apache. org/bugzilla/ attachment. cgi?id= 39815&action= diff&collapsed= &headers= 1&format= raw /svn.apache. org/viewvc? view=rev& rev=1919545 /github. com/apache/ httpd/commit/ a0a68b99d131741 c1867cff3214248 92838fc4b3
2. https:/
3. https:/