[pkg-uWSGI-devel] Bug#995368: libapache2-mod-proxy-uwsgi - CVE-2021-36160 regression, altered PATH_INFO
Sylvain Beucler
beuc at beuc.net
Sat Oct 9 17:04:17 BST 2021
Hi,
On 05/10/2021 18:41, Sylvain Beucler wrote:
> forwarded 995368 https://bz.apache.org/bugzilla/show_bug.cgi?id=65616
The Apache developers say there's an incorrect configuration in the
first place. For example,
ProxyPassMatch ^/ui uwsgi://127.0.0.1:8081/
should be
ProxyPassMatch ^/ui uwsgi://127.0.0.1:8081
following the warning about slashes in the documentation:
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
However, they are currently considering an additional patch to restore
the previous (less strict) behavior.
Philippe, Josef, I prepared a build with the new patch, so you can test
early:
https://people.debian.org/~beuc/lts/uwsgi/
https://people.debian.org/~beuc/lts/uwsgi/libapache2-mod-proxy-uwsgi_2.0.14+20161117-3+deb9u5_amd64.deb
I'm interested in your feedback.
Cheers!
Sylvain Beucler
Debian LTS Team
More information about the pkg-uWSGI-devel
mailing list