Bug 2042795

Summary: httpd: possible NULL dereference or SSRF in forward proxy configurations [CentOS Stream]
Product: Red Hat Enterprise Linux 8 Reporter: Jan ONDREJ <ondrejj>
Component: httpd-2.4-moduleAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED DUPLICATE QA Contact: rhel-cs-infra-services-qe <rhel-cs-infra-services-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bnater, bstinson, jwboyer
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-20 10:55:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan ONDREJ 2022-01-20 07:13:52 UTC 
Description of problem:
CentOS Stream 8 is still vulnerable to this vulnerability.
Also after a month after public report on https://access.redhat.com/security/cve/cve-2021-44224, there is still no fix for RHEL or CentOS Stream.
There is no mitigation, so sysadmins need to make their own solution (recompile apache httpd or disable Proxy).

Version-Release number of selected component (if applicable):
httpd-2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64

How reproducible:
always

Additional info:
I am not allowed to display RHEL bugs for this issue, so don't know it's progress.
Comment 1 Branislav Náter 2022-01-20 10:55:48 UTC 

*** This bug has been marked as a duplicate of bug 2035030 ***