2017321 – (CVE-2021-20325) CVE-2021-20325 httpd: Regression of CVE-2021-40438 and CVE-2021-26691 fixes in Red Hat Enterprise Linux 8.5

Bug 2017321 (CVE-2021-20325) - CVE-2021-20325 httpd: Regression of CVE-2021-40438 and CVE-2021-26691 fixes in Red Hat Enterprise Linux 8.5

Summary: CVE-2021-20325 httpd: Regression of CVE-2021-40438 and CVE-2021-26691 fixes i...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-20325
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2017407 2017408
Blocks:	2017307 2018438
TreeView+	depends on / blocked

Reported:	2021-10-26 09:57 UTC by Riccardo Schirone
Modified:	2023-07-11 10:49 UTC (History)
CC List:	17 users (show)
Fixed In Version:	httpd 2.4.47, httpd 2.4.49
Doc Type:	If docs needed, set a value
Doc Text:	Missing fixes for CVE-2021-40438 and CVE-2021-26691 in the versions of httpd, as shipped in Red Hat Enterprise Linux 8.5.0, causes a security regression compared to the versions shipped in Red Hat Enterprise Linux 8.4. A user who installs or updates to Red Hat Enterprise Linux 8.5.0 would be vulnerable to the mentioned CVEs, even if they were properly fixed in Red Hat Enterprise Linux 8.4. CVE-2021-20325 was assigned to that Red Hat specific security regression and it does not affect the upstream versions of httpd.
Clone Of:
Environment:
Last Closed:	2021-11-10 02:22:53 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4537	0	None	None	None	2021-11-09 20:07:59 UTC

Description Riccardo Schirone 2021-10-26 09:57:43 UTC

The httpd flaws CVE-2021-40438 (bug 2005117) and CVE-2021-26691 (bug 1966732) were addressed in Red Hat Enterprise Linux 8 via erratum RHSA-2021:3816 released on Oct 12, 2021:

https://access.redhat.com/errata/RHSA-2021:3816

However, those fixes were not included in the httpd update released as part of Red Hat Enterprise Linux 8.5, causing a security regression of previously released fixes.  A new CVE id CVE-2021-20325 was assigned for this security regression.

Note that this issue and CVE id is specific to the httpd packages as shipped with Red Hat Enterprise Linux 8 and is not applicable to any upstream httpd version as released by Apache Software Foundation or httpd packages of any other vendor that are not directly based on Red Hat Enterprise Linux 8 packages.

For more information about the original flaws, refer to the specific flaw bugs linked above.

Comment 6 errata-xmlrpc 2021-11-09 20:07:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4537 https://access.redhat.com/errata/RHSA-2021:4537

Comment 7 Product Security DevOps Team 2021-11-10 02:22:51 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20325

Comment 8 Tomas Hoger 2021-11-10 10:08:39 UTC

The Red Hat Enterprise Linux 8.5 erratum that introduced this regression is:

https://access.redhat.com/errata/RHSA-2021:4257

Note You need to log in before you can comment on or make changes to this bug.