oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 8 Oct 2021 23:44:15 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

On Fri, Oct 08, 2021 at 11:27:37PM +0200, Yann Ylavic wrote:
> For completeness I'll add this tweet/blog from Stefan (OP) about the
> vulnerability and the fixes in httpd:
> https://twitter.com/icing/status/1446504661448593408

Thanks, but you just did that again...  For completeness, let's have the
actual content on the list, not only links to content.

That tweet above refers to "Apache httpd 2.4.50 post mortem" at:

https://github.com/icing/blog/blob/main/httpd-2.4.50.md

I'm attaching the httpd-2.4.50.md file above to this message.

This way, historians will be able to make full sense of the thread in
here even after Twitter and GitHub are gone. ;-)

Alexander

View attachment "httpd-2.4.50.md" of type "text/plain" (12917 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.