https://bz.apache.org/bugzilla/show_bug.cgi?id=65616
--- Comment #3 from Sylvain Beucler <b...@beuc.net> --- Hi, Thanks for the fast answer. I realize I didn't introduce myself clearly: I'm working on security updates for Debian LTS, and I recently issued one for the libapache2-mod-proxy-uwsgi package. I opened this bug following user reports of production failures following the security update, e.g. for https://github.com/tracim/tracim/blob/develop/tools_docker/Debian_Uwsgi/apache2.conf.sample > CVE-2021-36160 is actually fixed by r1892874 I'm confused, as far as I understand: - CVE-2021-36160 is fixed by r1892805 (mod_proxy_uwsgi) r1892805 was shipped as a fix for CVE-2021-36160 in Debian, Ubuntu and SuSE, in Apache HTTPD itself, and in prior stand-alone module from unbit uwsgi - r1892874 fixes CVE-2021-40438 (mod_proxy) (+ 3 follow-up commits) The regression discussed here is caused solely by the mod_proxy_uwsgi change (r1892805). What patch does one need to apply to fix CVE-2021-36160? > Using one or the other depends on whether you want e.g."/uwsgi-ppfoo" to be > passed too or not (whereas "/uwsgi-pp/foo" will be passed by both). Slight nitpick here, I believe 'ProxyPass /uwsgi-pp' won't match '/uwsgi-ppfoo', and that the trailing slash/no-slash difference is whether '/uwsgi-pp' would be 404 or passed :) > However, I guess the following patch would remove multiple leading slashes > [...] > This would be something like this: Thanks, I confirm the second patch restores the previous behavior for my test. Do you intend to apply this to the 2.4.x branch, or will you keep the new (stricter) behavior there? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
