Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker
Commits: 1d6cd056 by Bastien Roucariès at 2024-07-09T21:29:47+00:00 CVE-2024-39573/apache2 Comment on patch https://github.com/apache/httpd/commit/9494aa8d52e3c263bc0413b77ac8a73b0d524388 said else if (!(p->flags & (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) { /* Not an absolute URI-path and the scheme (if any) is unknown, * and it won't be passed to fully_qualify_uri() below either, * so add an implicit '/' prefix. This avoids potentially a common * rule like "RewriteRule ^/some/path(.*) $1" that is given a path * like "/some/pathscheme:..." to produce the fully qualified URL * "scheme:..." which could be misinterpreted later. */ It is the description of CVE-2024-39573 - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -2013,6 +2013,7 @@ CVE-2024-39884 (A regression in the core of Apache HTTP Server 2.4.60 ignores so CVE-2024-39573 (Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-39573 + NOTE: likely fix according to comment in code https://github.com/apache/httpd/commit/9494aa8d52e3c263bc0413b77ac8a73b0d524388 CVE-2024-38477 (null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38477 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d6cd0564ff41a7a5de5bef47b0babe63271c4e6 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d6cd0564ff41a7a5de5bef47b0babe63271c4e6 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
