Where is the CVE-2021-44224 in Apple macOS Monterey 12.2 ?

Apple just announced a long list of fourteen CVE fixes in their Monterey 12.2 release notes.

Notably absent is CVE-2021-44224 (as patched December 20th, 2021 by Ubuntu).

Apache titled this flaw a “Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier”.

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). Credits: 漂亮é¼

Running on every 12.1 macOS is a bundled httpd version 2.4.51, so I find it curious that a 2021 critical CVE still isn’t mentioned in Apple’s latest upgrade announcement. It seems macOS isn’t affected by the proxy configuration issue here, yet it still deserves some mention from Apple.

The flaw in httpd (in proxy_util.c) for this CVE is reported to be basically this one line:

url = ap_proxy_de_socketfy(p, url);

And here was the change made, to verify that the called function also finds a string (URL):

url = ap_proxy_de_socketfy(p, url);
if (!url) {
return NULL;
}

In other words a patched httpd checks for NULL in the URL, as memory reads might otherwise attempt to use an undefined NULL pointer.

US Embassy in Georgia Explains Russian False Flag Operations

A nice history angle is provided by the US State Department “share” service in an official embassy post about Russian false flag operations.

Russia’s false flag operations date back decades and take many forms. In 1939, the Soviet Union shelled its own troops outside the Soviet village of Mainila near Finland. It then blamed Finland for the attack and invaded its neighbor in violation of the two countries’ nonaggression pact.

Then they jump ahead to five years ago.

More recently, Russian state hackers have disguised themselves as operatives of Iran’s regime or the Islamic State of Iraq and Syria (ISIS) to evade responsibility. In 2017, Russia’s military launched a ransomware attack against Ukrainian businesses. While the attack was disguised to look like the work of profiteers rather than state actors, a joint investigation by Australia, Canada, New Zealand, the United Kingdom and the United States found the Kremlin responsible, according to Wired magazine.

The link to the Wired article is very important because there you will find motive.

[James Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies] argues that Russia’s ultimate goal with its false flag attacks, aside from creating confusion and deniability, is to make the case that attribution isn’t truly possible—that when a US intelligence agency or Department of Justice points the finger at the Kremlin after hacking incidents, they’re merely guessing. “They don’t like being indicted,” he adds. “They would like to create a counter-narrative: ‘You can’t trust the Americans. Look, they got this wrong.'”

Those who try saying that attribution of attack is not possible — sowing doubt about science and intelligence — are feeding into the Russian military intelligence narrative meant to enable their sloppy and inexpensive attacks.

Historians might be the first to disagree with Russia on this. I mean who really disputes today whether Russian relations with the Confederation of Targowica (noble league backed by Russian Empress Catherine II to oppose the Polish Constitution) is what led to Poland being invaded 16 May 1792 (without Russia even declaring war), which resulted in the Russo-Prussian Second Partition? And what about 28 June 1788 when Sweden’s King Gustavus III declared war on Russia by disguising his own soldiers in Puumala with Russian uniforms?

Related: The unCERTainty of attribution.

Billionaires Fund Campaigns to Ban Books in American School

First, the Guardian makes it clear that a conspiracy is real:

…groups involved in banning books are in fact linked, and backed by influential conservative donors.

Second, a racist motive is obvious:

In Pennsylvania, the Central York school board banned a long list of books, almost entirely titles by, or about, people of color, including books by Jacqueline Woodson, Ijeoma Oluo and Ibram X Kendi, and children’s titles about Rosa Parks and Martin Luther King Jr. “Let’s just call it what it is – every author on that list is a Black voice,” one teacher told the York Dispatch.

Third, the “influential conservative donors” are really more like (a blast from America’s past of shameless billionaire misconduct) radical extremists who advocate for a fascist surveillance state that will prohibit freedom of thought.

PDE’s president [a group that “tells parents they should spy on teachers”] …worked at the Cato Institute, a rightwing thinktank co-founded by Republican mega-donor Charles Koch. The Intercept reported that the IWF has received large donations from Republican donor Leonard Leo, a former vice-president of the Koch-funded Federalist Society who advised Donald Trump on judicial appointments.

Fourth, the opposition is naturally students themselves who would rather not have their thoughts controlled and education dictated by a tiny group of racist American billionaires.

The Pennsylvania ban was overturned in September 2021 after students protested outside their York County high school and outside school board meetings. In Virginia, high school students managed to overturn the Spotsylvania book ban in similar fashion…

Interesting reading, to say the least.

What would America’s first important philanthropist Margaret Olivia Sage say?

Margaret Olivia Sage invented a new level of charity in 1907 by giving $10 million to create the first private family foundation in America. A former school teacher, she hoped to improve education and to alleviate causes of poverty. Source: Auburn University Digital Library

Are You a Robot Interview: Decentralization of the Internet

I enjoyed speaking about an increasingly common topic (Decentralisation of the Internet) with Demetrios Brinkmann (@dpbrinkm on Twitter) on the “Are You A Robot” Podcast (@areyouarobotpod on Twitter).

The whole conversation is available on https://www.areyouarobot.co.uk/episodes/season-ten, as well as https://anchor.fm/are-you-a-robot/episodes/S10E03-The-Decentralisation-of-the-Internet–Davi-Ottenheimer-e15g4jj and…here: