Date: Fri, 8 Oct 2021 23:27:37 +0200 From: Yann Ylavic <ylavic.dev@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) On Fri, Oct 8, 2021 at 11:10 PM Solar Designer <solar@...nwall.com> wrote: > > On Fri, Oct 08, 2021 at 08:37:33PM +0200, Yann Ylavic wrote: > > On Fri, Oct 8, 2021 at 8:53 AM Roman Medina-Heigl Hernandez > > <roman@...labs.com> wrote: > > > > > > I posted RCE exploit for this (it works for both CVEs: 41773 & 42013) > > > and some other details regarding requirements / exploitability, which > > > you may find useful at: > > > > > > https://twitter.com/roman_soft/status/1446252280597078024 > > > > Thanks, that's fair analysis. > > Yann is probably referring to the full tweet thread by Roman, not just > the one tweet that Roman posted in here. Let me correct that: Exactly, thanks Alexander and sorry if I wasn't clear enough. For completeness I'll add this tweet/blog from Stefan (OP) about the vulnerability and the fixes in httpd: https://twitter.com/icing/status/1446504661448593408 Regards; Yann.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.