Public bug reported:
The fix introduced in
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.19
" * SECURITY UPDATE: Substitution encoding issue in mod_rewrite
- debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
handling in modules/mappers/mod_rewrite.c.
- CVE-2024-38474
"
is causing issues by being not specific enough and blocking lots of
requests not exposed to the cve.
It has already been fixed in apache2 2.4.63
https://bz.apache.org/bugzilla/show_bug.cgi?id=69197
"Bug 69197 - Fix for CVE-2024-38474 also blocks %3f in appended query strings"
Please port the changes to the detection code from mainline apache2.
Thank you
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2103723
Title:
Fix for CVE-2024-38474 also blocks %3f in appended query strings
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2103723/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
