Date: Sat, 16 Oct 2021 01:31:50 +0200 From: Yann Ylavic <ylavic.dev@...il.com> To: Roman Medina-Heigl Hernandez <roman@...labs.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Hi Román, On Fri, Oct 15, 2021 at 8:01 PM Roman Medina-Heigl Hernandez <roman@...labs.com> wrote: > > Re , I think this: > > "critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)" > > is still misleading and should read: > > "critical: Path traversal and Remote Code Execution vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)" I (for one) would argue that admins/vendors that ship a RCE-vulnerable custom configuration should reserve a CVE like this to notify their users. httpd does not, at least. Cheers; Yann.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.