oss-sec mailing list archives
Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
From: Seth Arnold <seth.arnold () canonical com>
Date: Sat, 8 Aug 2020 01:20:29 +0000
On Fri, Aug 07, 2020 at 06:31:38AM -0500, Daniel Ruggeri wrote:
CVE-2020-11984: mod_uwsgi buffer overlow Versions Affected: httpd 2.4.32 to 2.4.44
Description: Apache HTTP Server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
References: https://httpd.apache.org/security/vulnerabilities_24.html
Hello Daniel, all, I'm confused: this english description of affected versions reads like 2.4.44 is affected. However, there is a heading on the vulnerabilities_24.html page that says this CVE is fixed in 2.4.44. Many projects include a "fixed in versions ..." list to indicate when something is fixed; I think this is less ambiguous. The "affects versions" don't always line up with the heading that claims to be fixed, eg CVE-2019-10092 claims to be fixed in 2.4.41, but the Affects entry doesn't mention 2.4.40. The headings are out of order: $ curl -sq https://httpd.apache.org/security/vulnerabilities_24.html | grep "Fixed in Apache" Fixed in Apache httpd 2.4.44</h1><dl> Fixed in Apache httpd 2.4.25</h1><dl> # 2.4.25 is between 2.4.42 and 2.4.44 Fixed in Apache httpd 2.4.42</h1><dl> Fixed in Apache httpd 2.4.41</h1><dl> Fixed in Apache httpd 2.4.39</h1><dl> [..] The download site doesn't have a 2.4.40 download: https://archive.apache.org/dist/httpd/ But the CHANGES_2.4.41 file shows a 2.4.40 release: https://archive.apache.org/dist/httpd/CHANGES_2.4.41 I don't actually care that much about CVE-2019-10092 -- I just tried to figure out the status of CVE-2020-11984 by looking at other examples on the page and found the page difficult to understand. And, something is a bit off with the CURRENT-IS-$version markers: $ curl -sq https://archive.apache.org/dist/httpd/ | grep -c CURRENT 47 I expected one in each of the 2.0, 2.2, and 2.4 series, or perhaps just one for the newest 2.4 release. Thanks
Attachment:
signature.asc
Description:
Current thread:
- CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Daniel Ruggeri (Aug 07)
- Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Solar Designer (Aug 07)
- Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Daniel Ruggeri (Aug 08)
- Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Solar Designer (Aug 08)
- Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Joe Orton (Aug 17)
- Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Daniel Ruggeri (Aug 08)
- Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Solar Designer (Aug 07)
- Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Seth Arnold (Aug 07)
- Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Daniel Ruggeri (Aug 08)
- Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Seth Arnold (Aug 10)
- Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow Daniel Ruggeri (Aug 08)