Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow

[Seth Arnold <seth.arnold () canonical com>]

On Fri, Aug 07, 2020 at 06:31:38AM -0500, Daniel Ruggeri wrote:
> CVE-2020-11984: mod_uwsgi buffer overlow
> Versions Affected:
> httpd 2.4.32 to 2.4.44

> Description:
> Apache HTTP Server 2.4.32 to 2.4.44
> mod_proxy_uwsgi info disclosure and possible RCE

> References:
> https://httpd.apache.org/security/vulnerabilities_24.html

Hello Daniel, all,

I'm confused: this english description of affected versions
reads like 2.4.44 is affected. However, there is a heading on the
vulnerabilities_24.html page that says this CVE is fixed in 2.4.44.

Many projects include a "fixed in versions ..." list to indicate when
something is fixed; I think this is less ambiguous.

The "affects versions" don't always line up with the heading that claims
to be fixed, eg CVE-2019-10092 claims to be fixed in 2.4.41, but the
Affects entry doesn't mention 2.4.40.

The headings are out of order:

$ curl -sq https://httpd.apache.org/security/vulnerabilities_24.html | grep "Fixed in Apache"
Fixed in Apache httpd 2.4.44</h1><dl>
Fixed in Apache httpd 2.4.25</h1><dl>  # 2.4.25 is between 2.4.42 and 2.4.44
Fixed in Apache httpd 2.4.42</h1><dl>
Fixed in Apache httpd 2.4.41</h1><dl>
Fixed in Apache httpd 2.4.39</h1><dl>
[..]

The download site doesn't have a 2.4.40 download:
https://archive.apache.org/dist/httpd/

But the CHANGES_2.4.41 file shows a 2.4.40 release:
https://archive.apache.org/dist/httpd/CHANGES_2.4.41

I don't actually care that much about CVE-2019-10092 -- I just tried to
figure out the status of CVE-2020-11984 by looking at other examples on
the page and found the page difficult to understand.

And, something is a bit off with the CURRENT-IS-$version markers:

$ curl -sq https://archive.apache.org/dist/httpd/ | grep -c CURRENT
47

I expected one in each of the 2.0, 2.2, and 2.4 series, or perhaps just
one for the newest 2.4 release.

Thanks

Attachment: signature.asc
Description: