| Message ID | 20211223163252.26494-1-matthias.fischer@ipfire.org |
|---|---|
| State | Accepted |
| Commit | d67eff100219498902c20159025dc7227cd4d2ca |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JKbMx47NFz3wcY for <patchwork@web04.haj.ipfire.org>; Thu, 23 Dec 2021 16:33:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JKbMw3tjvzYR; Thu, 23 Dec 2021 16:33:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JKbMw2BYgz2ypS; Thu, 23 Dec 2021 16:33:00 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JKbMv082Bz2xYj for <development@lists.ipfire.org>; Thu, 23 Dec 2021 16:32:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JKbMt2qspzYR for <development@lists.ipfire.org>; Thu, 23 Dec 2021 16:32:58 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1640277178; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=29RlBLE73hiFymYiIg4H5ShLXnyLvV0TFaRgnxksPEk=; b=ggTVMm53O7lWMaXmIRD9f3zBLa/LRCRXoVKQRbajUvx7kJVLubSNu4hdmHyivieZ9vxR9D MQ6u3GZ764V2P1CA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1640277178; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=29RlBLE73hiFymYiIg4H5ShLXnyLvV0TFaRgnxksPEk=; b=M1+mIvIsf9NpHdokASaxQ2UkbTrzJeuGects/ModvWJZBJS0f2JOR7tjxa3ywbKhi3Adsy +tLdrOKhgbbsKU0jetenwiwZxgE5RiCwj3S3mLMtpqd+sfAtz8EQwMmYE2f9ERUNakFIpR fdw5VYoRLBc5HmilKkmuBKQ0oc//sv67ydkqy3O4mHPs0oMErIpIAsuj8un7Y6Ws02WKos 2Klkdzppcu71tl2JQLQt/yAm4Ylnc0inpahOISGkjiXOgQDjLndQ9dKMhlN6pDML6Zht4a G/x02cPQSGWnqEf+4D3dRd6HfEwNcGlRN7f7BGnqxzWIXgelSkKGWP1nLduWVw== From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] apache: Update to 2.4.52 Date: Thu, 23 Dec 2021 17:32:52 +0100 Message-Id: <20211223163252.26494-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
apache: Update to 2.4.52
|
|
Commit Message
Matthias Fischer
Dec. 23, 2021, 4:32 p.m. UTC
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
For details see:
https://dlcdn.apache.org//httpd/CHANGES_2.4.52
Excerpt from changelog:
""Changes with Apache 2.4.52
*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
multipart content in mod_lua of Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A carefully crafted request body can cause a buffer overflow in
the mod_lua multipart parser (r:parsebody() called from Lua
scripts).
The Apache httpd team is not aware of an exploit for the
vulnerabilty though it might be possible to craft one.
This issue affects Apache HTTP Server 2.4.51 and earlier.
Credits: Chamal
*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
forward proxy configurations in Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A crafted URI sent to httpd configured as a forward proxy
(ProxyRequests on) can cause a crash (NULL pointer dereference)
or, for configurations mixing forward and reverse proxy
declarations, can allow for requests to be directed to a
declared Unix Domain Socket endpoint (Server Side Request
Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
(included).
Credits: 漂亮é¼
TengMA(@Te3t123)
..."
---
config/rootfiles/common/apache2 | 2 ++
lfs/apache2 | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
Comments
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> > On 23 Dec 2021, at 17:32, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > > For details see: > https://dlcdn.apache.org//httpd/CHANGES_2.4.52 > > Excerpt from changelog: > > ""Changes with Apache 2.4.52 > > *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing > multipart content in mod_lua of Apache HTTP Server 2.4.51 and > earlier (cve.mitre.org) > A carefully crafted request body can cause a buffer overflow in > the mod_lua multipart parser (r:parsebody() called from Lua > scripts). > The Apache httpd team is not aware of an exploit for the > vulnerabilty though it might be possible to craft one. > This issue affects Apache HTTP Server 2.4.51 and earlier. > Credits: Chamal > > *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in > forward proxy configurations in Apache HTTP Server 2.4.51 and > earlier (cve.mitre.org) > A crafted URI sent to httpd configured as a forward proxy > (ProxyRequests on) can cause a crash (NULL pointer dereference) > or, for configurations mixing forward and reverse proxy > declarations, can allow for requests to be directed to a > declared Unix Domain Socket endpoint (Server Side Request > Forgery). > This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 > (included). > Credits: æ¼‚äº®é¼ > TengMA(@Te3t123) > ..." > --- > config/rootfiles/common/apache2 | 2 ++ > lfs/apache2 | 4 ++-- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 > index 8442446df..b6e83ab9d 100644 > --- a/config/rootfiles/common/apache2 > +++ b/config/rootfiles/common/apache2 > @@ -1080,6 +1080,8 @@ srv/web/ipfire/html/captive > #srv/web/ipfire/manual/mod/mod_systemd.html > #srv/web/ipfire/manual/mod/mod_systemd.html.en > #srv/web/ipfire/manual/mod/mod_systemd.html.fr.utf8 > +#srv/web/ipfire/manual/mod/mod_tls.html > +#srv/web/ipfire/manual/mod/mod_tls.html.en > #srv/web/ipfire/manual/mod/mod_unique_id.html > #srv/web/ipfire/manual/mod/mod_unique_id.html.en > #srv/web/ipfire/manual/mod/mod_unique_id.html.fr.utf8 > diff --git a/lfs/apache2 b/lfs/apache2 > index b4064cee0..226058a22 100644 > --- a/lfs/apache2 > +++ b/lfs/apache2 > @@ -25,7 +25,7 @@ > > include Config > > -VER = 2.4.51 > +VER = 2.4.52 > > THISAPP = httpd-$(VER) > DL_FILE = $(THISAPP).tar.bz2 > @@ -45,7 +45,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = d2793fc1c8cb8ba355cee877d1f2d46d > +$(DL_FILE)_MD5 = a94ae42b84309d5ef6e613ae825b92fa > > install : $(TARGET) > > -- > 2.18.0 >
Reviewed-by: Peter Müller <peter.mueller@ipfire.org> > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > > For details see: > https://dlcdn.apache.org//httpd/CHANGES_2.4.52 > > Excerpt from changelog: > > ""Changes with Apache 2.4.52 > > *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing > multipart content in mod_lua of Apache HTTP Server 2.4.51 and > earlier (cve.mitre.org) > A carefully crafted request body can cause a buffer overflow in > the mod_lua multipart parser (r:parsebody() called from Lua > scripts). > The Apache httpd team is not aware of an exploit for the > vulnerabilty though it might be possible to craft one. > This issue affects Apache HTTP Server 2.4.51 and earlier. > Credits: Chamal > > *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in > forward proxy configurations in Apache HTTP Server 2.4.51 and > earlier (cve.mitre.org) > A crafted URI sent to httpd configured as a forward proxy > (ProxyRequests on) can cause a crash (NULL pointer dereference) > or, for configurations mixing forward and reverse proxy > declarations, can allow for requests to be directed to a > declared Unix Domain Socket endpoint (Server Side Request > Forgery). > This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 > (included). > Credits: æ¼‚äº®é¼ > TengMA(@Te3t123) > ..." > --- > config/rootfiles/common/apache2 | 2 ++ > lfs/apache2 | 4 ++-- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 > index 8442446df..b6e83ab9d 100644 > --- a/config/rootfiles/common/apache2 > +++ b/config/rootfiles/common/apache2 > @@ -1080,6 +1080,8 @@ srv/web/ipfire/html/captive > #srv/web/ipfire/manual/mod/mod_systemd.html > #srv/web/ipfire/manual/mod/mod_systemd.html.en > #srv/web/ipfire/manual/mod/mod_systemd.html.fr.utf8 > +#srv/web/ipfire/manual/mod/mod_tls.html > +#srv/web/ipfire/manual/mod/mod_tls.html.en > #srv/web/ipfire/manual/mod/mod_unique_id.html > #srv/web/ipfire/manual/mod/mod_unique_id.html.en > #srv/web/ipfire/manual/mod/mod_unique_id.html.fr.utf8 > diff --git a/lfs/apache2 b/lfs/apache2 > index b4064cee0..226058a22 100644 > --- a/lfs/apache2 > +++ b/lfs/apache2 > @@ -25,7 +25,7 @@ > > include Config > > -VER = 2.4.51 > +VER = 2.4.52 > > THISAPP = httpd-$(VER) > DL_FILE = $(THISAPP).tar.bz2 > @@ -45,7 +45,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = d2793fc1c8cb8ba355cee877d1f2d46d > +$(DL_FILE)_MD5 = a94ae42b84309d5ef6e613ae825b92fa > > install : $(TARGET) > >
diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 8442446df..b6e83ab9d 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1080,6 +1080,8 @@ srv/web/ipfire/html/captive #srv/web/ipfire/manual/mod/mod_systemd.html #srv/web/ipfire/manual/mod/mod_systemd.html.en #srv/web/ipfire/manual/mod/mod_systemd.html.fr.utf8 +#srv/web/ipfire/manual/mod/mod_tls.html +#srv/web/ipfire/manual/mod/mod_tls.html.en #srv/web/ipfire/manual/mod/mod_unique_id.html #srv/web/ipfire/manual/mod/mod_unique_id.html.en #srv/web/ipfire/manual/mod/mod_unique_id.html.fr.utf8 diff --git a/lfs/apache2 b/lfs/apache2 index b4064cee0..226058a22 100644 --- a/lfs/apache2 +++ b/lfs/apache2 @@ -25,7 +25,7 @@ include Config -VER = 2.4.51 +VER = 2.4.52 THISAPP = httpd-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -45,7 +45,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = d2793fc1c8cb8ba355cee877d1f2d46d +$(DL_FILE)_MD5 = a94ae42b84309d5ef6e613ae825b92fa install : $(TARGET)