From patchwork Thu Dec 23 16:32:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 4939 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JKbMx47NFz3wcY for ; Thu, 23 Dec 2021 16:33:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JKbMw3tjvzYR; Thu, 23 Dec 2021 16:33:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JKbMw2BYgz2ypS; Thu, 23 Dec 2021 16:33:00 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JKbMv082Bz2xYj for ; Thu, 23 Dec 2021 16:32:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JKbMt2qspzYR for ; Thu, 23 Dec 2021 16:32:58 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1640277178; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=29RlBLE73hiFymYiIg4H5ShLXnyLvV0TFaRgnxksPEk=; b=ggTVMm53O7lWMaXmIRD9f3zBLa/LRCRXoVKQRbajUvx7kJVLubSNu4hdmHyivieZ9vxR9D MQ6u3GZ764V2P1CA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1640277178; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=29RlBLE73hiFymYiIg4H5ShLXnyLvV0TFaRgnxksPEk=; b=M1+mIvIsf9NpHdokASaxQ2UkbTrzJeuGects/ModvWJZBJS0f2JOR7tjxa3ywbKhi3Adsy +tLdrOKhgbbsKU0jetenwiwZxgE5RiCwj3S3mLMtpqd+sfAtz8EQwMmYE2f9ERUNakFIpR fdw5VYoRLBc5HmilKkmuBKQ0oc//sv67ydkqy3O4mHPs0oMErIpIAsuj8un7Y6Ws02WKos 2Klkdzppcu71tl2JQLQt/yAm4Ylnc0inpahOISGkjiXOgQDjLndQ9dKMhlN6pDML6Zht4a G/x02cPQSGWnqEf+4D3dRd6HfEwNcGlRN7f7BGnqxzWIXgelSkKGWP1nLduWVw== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] apache: Update to 2.4.52 Date: Thu, 23 Dec 2021 17:32:52 +0100 Message-Id: <20211223163252.26494-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Matthias Fischer For details see: https://dlcdn.apache.org//httpd/CHANGES_2.4.52 Excerpt from changelog: ""Changes with Apache 2.4.52 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (cve.mitre.org) A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. Credits: Chamal *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier (cve.mitre.org) A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). Credits: æ¼‚äº®é¼ TengMA(@Te3t123) ..." Reviewed-by: Michael Tremer Reviewed-by: Peter Müller --- config/rootfiles/common/apache2 | 2 ++ lfs/apache2 | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 8442446df..b6e83ab9d 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1080,6 +1080,8 @@ srv/web/ipfire/html/captive #srv/web/ipfire/manual/mod/mod_systemd.html #srv/web/ipfire/manual/mod/mod_systemd.html.en #srv/web/ipfire/manual/mod/mod_systemd.html.fr.utf8 +#srv/web/ipfire/manual/mod/mod_tls.html +#srv/web/ipfire/manual/mod/mod_tls.html.en #srv/web/ipfire/manual/mod/mod_unique_id.html #srv/web/ipfire/manual/mod/mod_unique_id.html.en #srv/web/ipfire/manual/mod/mod_unique_id.html.fr.utf8 diff --git a/lfs/apache2 b/lfs/apache2 index b4064cee0..226058a22 100644 --- a/lfs/apache2 +++ b/lfs/apache2 @@ -25,7 +25,7 @@ include Config -VER = 2.4.51 +VER = 2.4.52 THISAPP = httpd-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -45,7 +45,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = d2793fc1c8cb8ba355cee877d1f2d46d +$(DL_FILE)_MD5 = a94ae42b84309d5ef6e613ae825b92fa install : $(TARGET)