apache2-2.4.51-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11560-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z apache2-2.4.51-1.1 on GA media These are all security issues fixed in the apache2-2.4.51-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11560 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-41773/ SUSE CVE CVE-2021-41773 page https://www.suse.com/security/cve/CVE-2021-42013/ SUSE CVE CVE-2021-42013 page openSUSE Tumbleweed apache2-2.4.51-1.1 apache2-2.4.51-1.1 as a component of openSUSE Tumbleweed A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. CVE-2021-41773 openSUSE Tumbleweed:apache2-2.4.51-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41773.html CVE-2021-41773 https://bugzilla.suse.com/1191325 SUSE Bug 1191325 https://bugzilla.suse.com/1191476 SUSE Bug 1191476 It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. CVE-2021-42013 openSUSE Tumbleweed:apache2-2.4.51-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-42013.html CVE-2021-42013 https://bugzilla.suse.com/1191476 SUSE Bug 1191476