Bugzilla – Bug 1168407
VUL-1: CVE-2020-1927: apache2: mod_rewrite configurations vulnerable to open redirect
Last modified: 2021-01-12 12:16:34 UTC
CVE-2020-1927 In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. Note: This is the same defect as CVE-2019-10098. The fix for CVE-2019-10098 was ineffective. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1927 http://www.openwall.com/lists/oss-security/2020/04/01/4 http://seclists.org/oss-sec/2020/q2/3
The most recent release note provides more details: >Changes with Apache 2.4.43 > > *) SECURITY: CVE-2020-1927 (cve.mitre.org) > rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable > matches and substitutions with encoded line break characters. > The fix for CVE-2019-10098 was not effective. [Ruediger Pluem] This is addressed in SVN revision 1864213. https://svn.apache.org/viewvc?view=revision&revision=1864213
The aforementioned commit refers to the original vulnerability CVE-2019-10098 that was patched insufficiently by upstream.
I believe the issue was fixed with these commits: SVN revision 1873905: factor out default regex flags SVN revision 1874191: add AP_REG_NO_DEFAULT to allow opt-out of pcre defaults https://svn.apache.org/viewvc?view=revision&revision=1873905 https://svn.apache.org/viewvc?view=revision&revision=1874191
Packages submitted for 15/apache2, 12sp2/apache2 and 12sp1/apache2. Submitted 2.4.43 into 15sp2/apache2.
I believe all fixed.
home:pgajdos:apache-test:after looks good.
SUSE-SU-2020:1111-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1168404,1168407,1169066 CVE References: CVE-2020-1927,CVE-2020-1934,CVE-2020-1938 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): apache2-2.4.16-20.29.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): apache2-2.4.16-20.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:1126-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1168404,1168407,1169066 CVE References: CVE-2020-1927,CVE-2020-1934,CVE-2020-1938 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): apache2-2.4.33-3.30.1 SUSE Linux Enterprise Server 15-LTSS (src): apache2-2.4.33-3.30.1 SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): apache2-2.4.33-3.30.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): apache2-2.4.33-3.30.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): apache2-2.4.33-3.30.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): apache2-2.4.33-3.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0597-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1168404,1168407,1169066 CVE References: CVE-2020-1927,CVE-2020-1934,CVE-2020-1938 Sources used: openSUSE Leap 15.1 (src): apache2-2.4.33-lp151.8.12.1
SUSE-SU-2020:1272-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1168404,1168407,1169066 CVE References: CVE-2020-1927,CVE-2020-1934,CVE-2020-1938 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): apache2-2.4.23-29.54.1 SUSE OpenStack Cloud 8 (src): apache2-2.4.23-29.54.1 SUSE OpenStack Cloud 7 (src): apache2-2.4.23-29.54.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): apache2-2.4.23-29.54.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): apache2-2.4.23-29.54.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): apache2-2.4.23-29.54.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): apache2-2.4.23-29.54.1 SUSE Linux Enterprise Server 12-SP5 (src): apache2-2.4.23-29.54.1 SUSE Linux Enterprise Server 12-SP4 (src): apache2-2.4.23-29.54.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): apache2-2.4.23-29.54.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): apache2-2.4.23-29.54.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): apache2-2.4.23-29.54.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): apache2-2.4.23-29.54.1 SUSE Enterprise Storage 5 (src): apache2-2.4.23-29.54.1 HPE Helion Openstack 8 (src): apache2-2.4.23-29.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done