Bug#1079172: marked as done (CVE-2024-38474/CVE-2024-38475 Regression)

[Debian Bug Tracking System]

Your message dated Thu, 10 Oct 2024 15:47:08 +0000
with message-id <e1syvnc-000zsq...@fasolo.debian.org>
and subject line Bug#1079172: fixed in apache2 2.4.62-1~deb12u2
has caused the Debian Bug report #1079172,
regarding CVE-2024-38474/CVE-2024-38475 Regression
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1079172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079172
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: apache2
Version: 2.4.61-1~deb12u1
Severity: important
Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=69197
Control: tags -1 + bullseye
Control: tags -1 + bookworm
Control: tags -1 + upstream
Control: Found -1 2.4.61-1~deb11u1

Dear Maintainer,

A tracking bug for a regression

> The SSRF fix in mod_rewrite introduced in r1918561 produces a "403
> Forbidden" response not only when an encoded question mark is introduced
> through a backreference but also when an existing query string appended via
> the QSA flag contains %3F.
> 
> 
> Steps to Reproduce:
> 
> 1) Prepare a webroot with an index.html file.
> 
> 2) Setup a vhost with the following rewrite rules
> 
>    (or add them to a .htaccess file):
>   RewriteEngine On
>   RewriteRule ^.*$ index.html?_path=$1 [L,QSA]
> 
> 3) Access /test?url=https%3A%2F%2Fexample.com%2F%3Ffoo%3Dbar in a web
> browser
> 
> 
> Actual Results:
> 
> The HTTP server produces a "403 Forbidden" response.
> 
> Only when the the flag UnsafeAllow3F is added to the RewriteRule the results
> are as expected.
> 
> 
> Expected Results:
> 
> The URL should have been rewritten to /index.html?_path=%2Ftest&foo=bar and
> the contents of index.html should have been delivered to the web browser.
> 
> 
> Additional Information:
> 
> Rewrite rules similar to the one used in step 2 above are common in htaccess
> files delivered with PHP applications. To e.g. prevent issues with
> mod_cache, the original path is passed to the target script via the query
> string and all query string parameters from the original URL are appended
> via QSA flag.
> 
> This issue affects all URLs for these applications which contain a %3F
> somewhere in the query string. This commonly happens e.g. for search forms
> (the user may enter a question mark as part of the search query) and for
> scripts that send an URL in a query string (for example
> ?referer=https%3A%2F%2Fexample.com%2F%3Ffoo%3Dbar).
> 
> Thanks

Bastien

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

Source: apache2
Source-Version: 2.4.62-1~deb12u2
Done: Bastien Roucariès <ro...@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1079...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 04 Oct 2024 15:21:08 +0000
Source: apache2
Architecture: source
Version: 2.4.62-1~deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1079172 1079206
Changes:
 apache2 (2.4.62-1~deb12u2) bookworm-security; urgency=medium
 .
   * Fix CVE-2024-38474 regression:
     Better question mark tracking to avoid UnsafeAllow3F
     (Closes: #1079172)
   * Fix CVE-2024-39884 regression:
     Trust strings from configuration in mod_proxy
     (Closes: #1079206)
   * Add myself as maintainer with Yadd agreement
Checksums-Sha1:
 143a7b4d775909fd1474def8314fb180b633aa1d 3584 apache2_2.4.62-1~deb12u2.dsc
 60fd03e9558c240293372953d9fe01bf74896bb6 9872432 apache2_2.4.62.orig.tar.gz
 198dd91f2a30797a1804043c70923b11a9b9ebf3 833 apache2_2.4.62.orig.tar.gz.asc
 f467512ed53c7f67b9bfd17d3e46c2fca3dd9ec1 824080 
apache2_2.4.62-1~deb12u2.debian.tar.xz
 61b4e92290c9813dc599971279d1889910fc7163 12455 
apache2_2.4.62-1~deb12u2_amd64.buildinfo
Checksums-Sha256:
 b49ee9734fa951f3f39b9dc734ec21ef2e3e6e54d69f0feda67308f9ed2182d5 3584 
apache2_2.4.62-1~deb12u2.dsc
 3e2404d762a2da03560d7ada379ba1599d32f04a0d70ad6ff86f44325f2f062d 9872432 
apache2_2.4.62.orig.tar.gz
 7765403a937dacb562a0eb15ed11ba85f703d10c6bb8b5630591d18876975963 833 
apache2_2.4.62.orig.tar.gz.asc
 b8cebc0018a0c12c78d8052d872b0c9c152c8c91da0d16fee6112cfa15df33f1 824080 
apache2_2.4.62-1~deb12u2.debian.tar.xz
 e771c851a2c3bfe02e20532a37e83d3e8577c107b3de2fe757c832fbebdc15ec 12455 
apache2_2.4.62-1~deb12u2_amd64.buildinfo
Files:
 a0319602a93accab10af2a1b2911ddd3 3584 httpd optional 
apache2_2.4.62-1~deb12u2.dsc
 9edaa3bce9534184d505e57d2832b365 9872432 httpd optional 
apache2_2.4.62.orig.tar.gz
 84aecb3166133e56a8cc6d784fc9be64 833 httpd optional 
apache2_2.4.62.orig.tar.gz.asc
 8ccd6dced6a5bddcb0a947d02608eaef 824080 httpd optional 
apache2_2.4.62-1~deb12u2.debian.tar.xz
 e670fbd0279dcc617b9455bd26771570 12455 httpd optional 
apache2_2.4.62-1~deb12u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmcAK64RHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF/5fg//U059ISaETD2QatWMPPW02Iiei7+naY8m
XhTes5URshiI9ieHZtOpqBnRpOZBNB1urKMiSOvR9KiUlCrN0Dr+hO9rOs3TBDb1
gd33+d0XBO7NPlcthZUJjMlTh/JHB3sWLGNNgLHEK9/1Qpcti0rTsozwZdilo3Fd
DSU7Xg/9fPMFxE6vvDtUgm3kFE1xR5+sjCJvG1vfTY6aa4sTl058ck1I4bhOC6lr
Bms5CKFY6OmB5LOusxj5h/LDXDZ2kdNp/+07OamEQejEpoR98Ll06v6VDXeE/y7Z
alxc/9opi/ZEoklLw4sCEgUGCRzzbxFcJKr9OvW2Hk8HCJ0j3YszQLJmpXWcZJBq
UfQlclU/5tQyE7pt4lCuDXorj7+bV27naP7VFcaEgi1/EQHOjRSM+/1gs48DDzsm
UkDwhSnktMWeD9c/cWZL5DAqEuZN++fDcmTGq4x5B6hKMWndVR3SnJ5OJ3cNqIDY
Xk90ZTaO8JWwh3FdNeddLe062AuWs9ofhRI4lt+/47cLZjXxVkO7B/oSDk7tJ/oR
pVFGyLwcMCksI0IqB0Xbg0SS5C/N1Ow1Ekpzb5tfgiNu4eFvReIQciBD+1/CxRPL
1O88e28wv8x1w2hKlkP8BoZlkOzV50zDbHyj7eAOlWG35MDBF2x+sLhj9RoVUes0
/hMkrYOoUjs=
=1ebE
-----END PGP SIGNATURE-----

pgpzWEQhTlbL3.pgp
Description: PGP signature

--- End Message ---