Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKQ1sVOHOU+iVCkeK1AqFDWhHq4uM8p9Hrx+XTen=fsJ=VxQyA@mail.gmail.com>
Date: Fri, 8 Oct 2021 23:27:37 +0200
From: Yann Ylavic <ylavic.dev@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2021-42013: Path Traversal and Remote Code
 Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

On Fri, Oct 8, 2021 at 11:10 PM Solar Designer <solar@...nwall.com> wrote:
>
> On Fri, Oct 08, 2021 at 08:37:33PM +0200, Yann Ylavic wrote:
> > On Fri, Oct 8, 2021 at 8:53 AM Roman Medina-Heigl Hernandez
> > <roman@...labs.com> wrote:
> > >
> > > I posted RCE exploit for this (it works for both CVEs: 41773 & 42013)
> > > and some other details regarding requirements / exploitability, which
> > > you may find useful at:
> > >
> > > https://twitter.com/roman_soft/status/1446252280597078024
> >
> > Thanks, that's fair analysis.
>
> Yann is probably referring to the full tweet thread by Roman, not just
> the one tweet that Roman posted in here.  Let me correct that:

Exactly, thanks Alexander and sorry if I wasn't clear enough.

For completeness I'll add this tweet/blog from Stefan (OP) about the
vulnerability and the fixes in httpd:
https://twitter.com/icing/status/1446504661448593408

Regards;
Yann.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.