mirror of
git://slackware.nl/current.git
synced 2024-12-28 09:59:53 +01:00
0807d59d4d
n/httpd-2.4.51-x86_64-1.txz: Upgraded.
SECURITY: CVE-2021-42013: Path Traversal and Remote Code
Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
fix of CVE-2021-41773) (cve.mitre.org)
It was found that the fix for CVE-2021-41773 in Apache HTTP
Server 2.4.50 was insufficient. An attacker could use a path
traversal attack to map URLs to files outside the directories
configured by Alias-like directives.
If files outside of these directories are not protected by the
usual default configuration "require all denied", these requests
can succeed. If CGI scripts are also enabled for these aliased
pathes, this could allow for remote code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
earlier versions.
Credits: Reported by Juan Escobar from Dreamlab Technologies,
Fernando MuA+-oz from NULL Life CTF Team, and Shungo Kumasaka
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013
(* Security fix *)
160 lines
9.6 KiB
Bash
160 lines
9.6 KiB
Bash
#!/bin/sh
|
|
#item ####description ###on off ###
|
|
TMP=/var/log/setup/tmp
|
|
if [ ! -d $TMP ]; then
|
|
mkdir -p $TMP
|
|
fi
|
|
cat /dev/null > $TMP/SeTnewtag
|
|
dialog --title "SELECTING PACKAGES FROM SERIES A (BASE LINUX SYSTEM)" \
|
|
--checklist "Please confirm the packages you wish to install \
|
|
from series A. Use the UP/DOWN keys to scroll through the list, and \
|
|
the SPACE key to deselect any packages don't want installed. You are \
|
|
cautioned against unselecting REQUIRED packages. However, it's your \
|
|
system. :^) Press ENTER when you are done." 21 76 10 \
|
|
"aaa_base" "Basic filesystem, shell, and utils - REQUIRED" "on" \
|
|
"aaa_glibc-solibs" "Runtime glibc support libraries - REQUIRED" "on" \
|
|
"aaa_libraries" "Various shared libraries -- REQUIRED" "on" \
|
|
"aaa_terminfo" "A subset of the terminfo database from ncurses" "on" \
|
|
"acl" "POSIX Access Control List tools -- REQUIRED" "on" \
|
|
"acpid" "ACPI Power Management daemon" "on" \
|
|
"attr" "Tools for fs extended attributes -- REQUIRED" "on" \
|
|
"bash" "GNU bash shell - REQUIRED" "on" \
|
|
"bin" "Various system utilities - REQUIRED" "on" \
|
|
"btrfs-progs" "Utilities for btrfs filesystems" "on" \
|
|
"bzip2" "bzip2 compression utility" "on" \
|
|
"coreutils" "The core GNU command-line utilities - REQUIRED" "on" \
|
|
"cpio" "The GNU cpio backup/archiving utility" "on" \
|
|
"cpufrequtils" "Kernel CPUfreq utilities" "on" \
|
|
"cracklib" "Password checking library - REQUIRED" "on" \
|
|
"cryptsetup" "Utilities for encrypting partitions" "on" \
|
|
"dbus" "D-Bus message bus system" "on" \
|
|
"dcron" "Cron daemon - REQUIRED" "on" \
|
|
"devs" "Device files found in /dev - REQUIRED" "on" \
|
|
"dialog" "The program that generates these menus :-)" "on" \
|
|
"dosfstools" "Tools for working with FAT filesystems" "on" \
|
|
"e2fsprogs" "Utilities for ext2/3/4 filesystems - REQUIRED" "on" \
|
|
"ed" "A clone of the old, original UN*X line editor" "on" \
|
|
"efibootmgr" "Tool to modify UEFI boot entries" "on" \
|
|
"efivar" "Library and tools to handle UEFI variables" "on" \
|
|
"elilo" "Linux Loader for EFI-based platforms" "on" \
|
|
"elogind" "logind extracted from systemd" "on" \
|
|
"elvis" "elvis text editor (ex/vi clone)" "on" \
|
|
"etc" "System config files & utilities - REQUIRED" "on" \
|
|
"eudev" "Manages /dev and modules - REQUIRED" "on" \
|
|
"exfatprogs" "exFAT filesystem utilities" "on" \
|
|
"f2fs-tools" "Flash-Friendly File System" "on" \
|
|
"file" "Determines what file format data is in" "on" \
|
|
"findutils" "GNU file finding utilities" "on" \
|
|
"floppy" "Utilities for using DOS floppies" "on" \
|
|
"gawk" "GNU awk pattern scanning language" "on" \
|
|
"genpower" "UPS monitoring daemon" "on" \
|
|
"gettext" "Programs used to internationalize scripts" "on" \
|
|
"glibc-zoneinfo" "Configures your time zone" "on" \
|
|
"gpm" "Cut and paste text with your mouse" "on" \
|
|
"gptfdisk" "GPT fdisk utilities" "on" \
|
|
"grep" "GNU grep searching tool - REQUIRED" "on" \
|
|
"grub" "GNU GRUB, the GRand Unified Bootloader" "on" \
|
|
"gzip" "GNU zip compression utility - REQUIRED" "on" \
|
|
"haveged" "A simple entropy daemon" "on" \
|
|
"hdparm" "Get/Set IDE hard drive parameters" "on" \
|
|
"hostname" "Linux hostname utility - REQUIRED" "on" \
|
|
"hwdata" "Hardware identification and config data" "on" \
|
|
"infozip" "zip/unzip archive utilities" "on" \
|
|
"inih" "INI Not Invented Here" "on" \
|
|
"inotify-tools" "Command-line tools for using inotify." "on" \
|
|
"jfsutils" "Utilities for IBM's Journaled Filesystem" "on" \
|
|
"kbd" "Change keyboard and console mappings" "on" \
|
|
"kernel-firmware" "Linux kernel firmware -- REQUIRED" "on" \
|
|
"kernel-generic" "Generic 5.14.10 kernel (needs an initrd)" "on" \
|
|
"kernel-huge" "Loaded 5.14.10 Linux kernel" "on" \
|
|
"kernel-modules" "Linux 5.14.10 kernel modules -- REQUIRED" "on" \
|
|
"kmod" "Kernel module utilities -- REQUIRED" "on" \
|
|
"lbzip2" "Parallel bzip2 compressor" "on" \
|
|
"less" "A text pager utility - REQUIRED" "on" \
|
|
"lhasa" "Free LZH archive tool" "on" \
|
|
"libblockdev" "library for manipulating block devices" "on" \
|
|
"libbytesize" "library for working with big sizes in bytes" "on" \
|
|
"libcgroup" "Tools for using kernel control groups" "on" \
|
|
"libgudev" "udev GObject bindings library - REQUIRED" "on" \
|
|
"libpwquality" "Password quality checking library - REQUIRED" "on" \
|
|
"lilo" "Boot loader for Linux, DOS, OS/2, etc." "on" \
|
|
"logrotate" "System log rotation utility" "on" \
|
|
"lrzip" "Long Range ZIP" "on" \
|
|
"lvm2" "Tools for creating logical volumes" "on" \
|
|
"lzip" "A lossless data compressor" "on" \
|
|
"lzlib" "lzip compression library" "on" \
|
|
"mcelog" "Machine Check Event logger" "on" \
|
|
"mdadm" "Utilities for managing MD (RAID) devices" "on" \
|
|
"minicom" "Serial transfer and modem comm package" "on" \
|
|
"mkinitrd" "Tool for building an initial ramdisk" "on" \
|
|
"mlocate" "Locates files on the system" "on" \
|
|
"mt-st" "mt ported from BSD - controls tape drive" "on" \
|
|
"mtx" "Controls tape autochangers" "on" \
|
|
"ncompress" "The historic compress utility" "on" \
|
|
"ndctl" "non-volatile memory device library" "on" \
|
|
"ntfs-3g" "FUSE-based NTFS read-write mount program" "on" \
|
|
"nvi" "nvi text editor (ex/vi clone)" "on" \
|
|
"openssl-solibs" "OpenSSL shared libraries -- REQUIRED" "on" \
|
|
"os-prober" "A tool for finding bootable OS partitions" "on" \
|
|
"pam" "Pluggable Authentication Modules -- REQUIRED" "on" \
|
|
"patch" "Applies a diff file to an original file" "on" \
|
|
"pciutils" "Linux PCI utilities" "on" \
|
|
"pcmciautils" "PCMCIA card services for the Linux kernel" "on" \
|
|
"pkgtools" "Slackware package management tools - REQUIRED" "on" \
|
|
"plzip" "Parallel lzip compressor" "on" \
|
|
"procps-ng" "Displays process info - REQUIRED" "on" \
|
|
"quota" "User disk quota utilities" "on" \
|
|
"reiserfsprogs" "Tools for the ReiserFS journaling filesystem" "on" \
|
|
"rpm2tgz" "A simple script to convert an RPM to a tgz" "on" \
|
|
"sdparm" "Get/Set SCSI hard drive parameters" "on" \
|
|
"sed" "GNU stream editor -- REQUIRED" "on" \
|
|
"shadow" "Shadow password suite -- REQUIRED" "on" \
|
|
"sharutils" "GNU shell archive utilities - REQUIRED" "on" \
|
|
"smartmontools" "Hard drive monitoring utilities" "on" \
|
|
"splitvt" "Split a screen into sections (use screen ;-)" "on" \
|
|
"sysfsutils" "Utilities for the sysfs filesystem" "on" \
|
|
"sysklogd" "Logs system and kernel messages" "on" \
|
|
"syslinux" "Loader for making Linux boot floppies" "on" \
|
|
"sysvinit" "System V-like INIT programs - REQUIRED" "on" \
|
|
"sysvinit-functions" "Init functions used by some third-party apps" "on" \
|
|
"sysvinit-scripts" "The startup scripts for Slackware - REQUIRED" "on" \
|
|
"tar" "GNU tar archive utility -- REQUIRED" "on" \
|
|
"tcsh" "Extended C shell /bin/tcsh" "on" \
|
|
"time" "Times how long a process takes to run" "on" \
|
|
"tree" "Display a directory in tree form" "on" \
|
|
"udisks" "storage device daemon" "on" \
|
|
"udisks2" "storage device daemon v2" "on" \
|
|
"unarj" "Extract ARJ archives" "on" \
|
|
"upower" "power management abstraction daemon" "on" \
|
|
"usb_modeswitch" "Switching tool for multiple mode USB devices" "on" \
|
|
"usbutils" "Linux USB utilities" "on" \
|
|
"utempter" "Library used for writing to utmp/wtmp" "on" \
|
|
"util-linux" "Util-linux utilities - REQUIRED" "on" \
|
|
"volume_key" "manipulate storage keys" "on" \
|
|
"which" "Locate an executable in your \$PATH" "on" \
|
|
"xfsprogs" "Utilities for SGI's XFS filesystem" "on" \
|
|
"xz" "xz (LZMA) compression utility - REQUIRED" "on" \
|
|
"zerofree" "Zero free blocks from ext* filesystems" "on" \
|
|
"zoo" "Zoo archive utility" "on" \
|
|
2> $TMP/SeTpkgs
|
|
if [ $? = 1 -o $? = 255 ]; then
|
|
rm -f $TMP/SeTpkgs
|
|
> $TMP/SeTnewtag
|
|
for pkg in \
|
|
aaa_base aaa_glibc-solibs aaa_libraries aaa_terminfo acl acpid attr bash bin btrfs-progs bzip2 coreutils cpio cpufrequtils cracklib cryptsetup dbus dcron devs dialog dosfstools e2fsprogs ed efibootmgr efivar elilo elogind elvis etc eudev exfatprogs f2fs-tools file findutils floppy gawk genpower gettext glibc-zoneinfo gpm gptfdisk grep grub gzip haveged hdparm hostname hwdata infozip inih inotify-tools jfsutils kbd kernel-firmware kernel-generic kernel-huge kernel-modules kmod lbzip2 less lhasa libblockdev libbytesize libcgroup libgudev libpwquality lilo logrotate lrzip lvm2 lzip lzlib mcelog mdadm minicom mkinitrd mlocate mt-st mtx ncompress ndctl ntfs-3g nvi openssl-solibs os-prober pam patch pciutils pcmciautils pkgtools plzip procps-ng quota reiserfsprogs rpm2tgz sdparm sed shadow sharutils smartmontools splitvt sysfsutils sysklogd syslinux sysvinit sysvinit-functions sysvinit-scripts tar tcsh time tree udisks udisks2 unarj upower usb_modeswitch usbutils utempter util-linux volume_key which xfsprogs xz zerofree zoo \
|
|
; do
|
|
echo "$pkg: SKP" >> $TMP/SeTnewtag
|
|
done
|
|
exit
|
|
fi
|
|
cat /dev/null > $TMP/SeTnewtag
|
|
for PACKAGE in \
|
|
aaa_base aaa_glibc-solibs aaa_libraries aaa_terminfo acl acpid attr bash bin btrfs-progs bzip2 coreutils cpio cpufrequtils cracklib cryptsetup dbus dcron devs dialog dosfstools e2fsprogs ed efibootmgr efivar elilo elogind elvis etc eudev exfatprogs f2fs-tools file findutils floppy gawk genpower gettext glibc-zoneinfo gpm gptfdisk grep grub gzip haveged hdparm hostname hwdata infozip inih inotify-tools jfsutils kbd kernel-firmware kernel-generic kernel-huge kernel-modules kmod lbzip2 less lhasa libblockdev libbytesize libcgroup libgudev libpwquality lilo logrotate lrzip lvm2 lzip lzlib mcelog mdadm minicom mkinitrd mlocate mt-st mtx ncompress ndctl ntfs-3g nvi openssl-solibs os-prober pam patch pciutils pcmciautils pkgtools plzip procps-ng quota reiserfsprogs rpm2tgz sdparm sed shadow sharutils smartmontools splitvt sysfsutils sysklogd syslinux sysvinit sysvinit-functions sysvinit-scripts tar tcsh time tree udisks udisks2 unarj upower usb_modeswitch usbutils utempter util-linux volume_key which xfsprogs xz zerofree zoo \
|
|
; do
|
|
if grep "\(^\| \)$PACKAGE\( \|$\)" $TMP/SeTpkgs 1> /dev/null 2> /dev/null ; then
|
|
echo "$PACKAGE: ADD" >> $TMP/SeTnewtag
|
|
else
|
|
echo "$PACKAGE: SKP" >> $TMP/SeTnewtag
|
|
fi
|
|
done
|
|
rm -f $TMP/SeTpkgs
|