GNU bug report logs - #51050
[PATCH] gnu: Apache httpd: Update to 2.4.50 [Fixes CVE-2021-{41524, 41773}].

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 6 Oct 2021 01:06:02 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 51050 in the body.
You can then email your comments to 51050 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#51050; Package guix-patches. (Wed, 06 Oct 2021 01:06:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Wed, 06 Oct 2021 01:06:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: Apache httpd: Update to 2.4.50 [Fixes CVE-2021-{41524,
 41773}].
Date: Tue,  5 Oct 2021 21:05:16 -0400

This update includes an important fix for an actively exploited path traversal
vulnerability (CVE-2021-41773), which allows attackers to access files outside
the "document root":

https://httpd.apache.org/security/vulnerabilities_24.html

* gnu/packages/web.scm (httpd): Update to 2.4.50.
---
 gnu/packages/web.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 0ea362c452..5819973c66 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -252,14 +252,14 @@
 (define-public httpd
   (package
     (name "httpd")
-    (version "2.4.49")
+    (version "2.4.50")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://apache/httpd/httpd-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0fqkfjcpdd40ji2279wfxh5hddb5jdxlnpjr0sbhva8fi7b6bfb5"))))
+               "03w9nc7v0rqljxazikbrlgbw7lq72i8n7n9ynlp6h1n6f301fa3a"))))
     (build-system gnu-build-system)
     (native-inputs `(("pcre" ,pcre "bin")))       ;for 'pcre-config'
     (inputs `(("apr" ,apr)
-- 
2.33.0
Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Wed, 06 Oct 2021 04:09:02 GMT) Full text and rfc822 format available.
Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Wed, 06 Oct 2021 04:09:02 GMT) Full text and rfc822 format available.

Message #10 received at 51050-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 51050-done <at> debbugs.gnu.org
Subject: Re: [PATCH] gnu: Apache httpd: Update to 2.4.50 [Fixes
 CVE-2021-{41524, 41773}].
Date: Wed, 6 Oct 2021 00:07:43 -0400

Pushed as f868ed2a75b55400107b80fcc1e41dcfb6b3c28c
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 03 Nov 2021 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 176 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.