oss-sec mailing list archives

CVE-2020-1934: mod_proxy_ftp use of uninitialized value

From: Daniel Ruggeri <druggeri () apache org>
Date: Wed, 01 Apr 2020 07:54:12 -0500


CVE-2020-1934: mod_proxy_ftp use of uninitialized value

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0-2.4.41

Description:
Apache HTTP Server 2.4.0 to 2.4.41
mod_proxy_ftp may use uninitialized memory when proxying to a malicious
FTP server.
    
Mitigation:
Don't proxy to untrusted FTP servers prior to applying the fix.

Credit:
The issue was discovered by Chamal De Silva <chamal.desilva () gmail com>

References:
https://httpd.apache.org/security/vulnerabilities_24.html

Current thread:

CVE-2020-1934: mod_proxy_ftp use of uninitialized value Daniel Ruggeri (Apr 01)