{"id":"MGASA-2021-0461","summary":"Updated apache packages fix security vulnerabilities","details":"The updated packages fix a security vulnerabilities:\n\nWhile fuzzing the 2.4.49 httpd, a new null pointer dereference was\ndetected during HTTP/2 request processing, allowing an external source\nto DoS the server. This requires a specially crafted request. The\nvulnerability was recently introduced in version 2.4.49. No exploit is\nknown to the project (CVE-2021-41524).\n\nA flaw was found in a change made to path normalization in Apache HTTP\nServer 2.4.49. An attacker could use a path traversal attack to map URLs\nto files outside the expected document root. If files outside of the\ndocument root are not protected by \"require all denied\" these requests can\nsucceed. Additionally this flaw could leak the source of interpreted files\nlike CGI scripts. This issue is known to be exploited in the wild. This\nissue only affects Apache 2.4.49 and not earlier versions (CVE-2021-41773).\n","modified":"2026-04-16T00:12:36.266866349Z","published":"2021-10-06T14:38:41Z","upstream":["CVE-2021-41524","CVE-2021-41773"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0461.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29530"},{"type":"WEB","url":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"type":"WEB","url":"https://downloads.apache.org/httpd/Announcement2.4.html"},{"type":"WEB","url":"https://downloads.apache.org/httpd/CHANGES_2.4.50"}],"affected":[{"package":{"name":"apache","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/apache?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.50-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0461.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}