diff mbox series

apache: Update to 2.4.56

Message ID 20230309165925.22876-1-matthias.fischer@ipfire.org
State Accepted
Commit ee1d6a7c3a8a2904d78f83c4a37784ec87f3b368
Headers
Series apache: Update to 2.4.56 |

Commit Message

Matthias Fischer March 9, 2023, 4:59 p.m. UTC 
  For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.56

"Changes with Apache 2.4.56

  *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
     HTTP response splitting (cve.mitre.org)
     HTTP Response Smuggling vulnerability in Apache HTTP Server via
     mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
     2.4.30 through 2.4.55.
     Special characters in the origin response header can
     truncate/split the response forwarded to the client.
     Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

  *) SECURITY: CVE-2023-25690: HTTP request splitting with
     mod_rewrite and mod_proxy (cve.mitre.org)
     Some mod_proxy configurations on Apache HTTP Server versions
     2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
     Configurations are affected when mod_proxy is enabled along with
     some form of RewriteRule
     or ProxyPassMatch in which a non-specific pattern matches
     some portion of the user-supplied request-target (URL) data and
     is then
     re-inserted into the proxied request-target using variable
     substitution. For example, something like:
     RewriteEngine on
     RewriteRule "^/here/(.*)" "
     http://example.com:8080/elsewhere?$1"
     http://example.com:8080/elsewhere ; [P]
     ProxyPassReverse /here/  http://example.com:8080/
     http://example.com:8080/
     Request splitting/smuggling could result in bypass of access
     controls in the proxy server, proxying unintended URLs to
     existing origin servers, and cache poisoning.
     Credits: Lars Krapf of Adobe

  *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
     truncated without the initial logfile being truncated.  [Eric Covener]

  *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
     allow connections of any age to be reused. Up to now, a negative value
     was handled as an error when parsing the configuration file.  PR 66421.
     [nailyk <bzapache nailyk.fr>, Christophe Jaillet]

  *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
     of headers. [Ruediger Pluem]

  *) mod_md:
     - Enabling ED25519 support and certificate transparency information when
       building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
     - MDChallengeDns01 can now be configured for individual domains.
       Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
     - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
       teardown not being invoked as it should.
     [Stefan Eissing]

  *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
     reported in access logs and error documents. The processing of the
     reset was correct, only unneccesary reporting was caused.
     [Stefan Eissing]

  *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
     [Yann Ylavic]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 lfs/apache2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Peter Müller March 11, 2023, 4:15 p.m. UTC | #1 
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

> For details see:
> https://dlcdn.apache.org/httpd/CHANGES_2.4.56
> 
> "Changes with Apache 2.4.56
> 
>   *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
>      HTTP response splitting (cve.mitre.org)
>      HTTP Response Smuggling vulnerability in Apache HTTP Server via
>      mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
>      2.4.30 through 2.4.55.
>      Special characters in the origin response header can
>      truncate/split the response forwarded to the client.
>      Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
> 
>   *) SECURITY: CVE-2023-25690: HTTP request splitting with
>      mod_rewrite and mod_proxy (cve.mitre.org)
>      Some mod_proxy configurations on Apache HTTP Server versions
>      2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
>      Configurations are affected when mod_proxy is enabled along with
>      some form of RewriteRule
>      or ProxyPassMatch in which a non-specific pattern matches
>      some portion of the user-supplied request-target (URL) data and
>      is then
>      re-inserted into the proxied request-target using variable
>      substitution. For example, something like:
>      RewriteEngine on
>      RewriteRule "^/here/(.*)" "
>      http://example.com:8080/elsewhere?$1"
>      http://example.com:8080/elsewhere ; [P]
>      ProxyPassReverse /here/  http://example.com:8080/
>      http://example.com:8080/
>      Request splitting/smuggling could result in bypass of access
>      controls in the proxy server, proxying unintended URLs to
>      existing origin servers, and cache poisoning.
>      Credits: Lars Krapf of Adobe
> 
>   *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
>      truncated without the initial logfile being truncated.  [Eric Covener]
> 
>   *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
>      allow connections of any age to be reused. Up to now, a negative value
>      was handled as an error when parsing the configuration file.  PR 66421.
>      [nailyk <bzapache nailyk.fr>, Christophe Jaillet]
> 
>   *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
>      of headers. [Ruediger Pluem]
> 
>   *) mod_md:
>      - Enabling ED25519 support and certificate transparency information when
>        building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
>      - MDChallengeDns01 can now be configured for individual domains.
>        Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
>      - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
>        teardown not being invoked as it should.
>      [Stefan Eissing]
> 
>   *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
>      reported in access logs and error documents. The processing of the
>      reset was correct, only unneccesary reporting was caused.
>      [Stefan Eissing]
> 
>   *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
>      [Yann Ylavic]"
> 
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
>  lfs/apache2 | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lfs/apache2 b/lfs/apache2
> index 7e1ef7911..402aa8567 100644
> --- a/lfs/apache2
> +++ b/lfs/apache2
> @@ -25,7 +25,7 @@
>  
>  include Config
>  
> -VER        = 2.4.55
> +VER        = 2.4.56
>  
>  THISAPP    = httpd-$(VER)
>  DL_FILE    = $(THISAPP).tar.bz2
> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_BLAKE2 = 98e9ec41aa3ccbbe533672ba6de8421e1f0cb5a4b4a06d0cf26c676945bcd5ebe66a1fd21d941ad8ff2c9183565ce542a5643730bbee5972934008652924945b
> +$(DL_FILE)_BLAKE2 = f9aaf5038543aeec79d5b8615b1b2120fe321966280574c685070f2356f8f1dba1d55a9a25f46cb5ecdd6e3f03785fe7a4e1b965506896cb889720728aa18101
>  
>  install : $(TARGET)
>
diff mbox series

Patch

diff --git a/lfs/apache2 b/lfs/apache2
index 7e1ef7911..402aa8567 100644
--- a/lfs/apache2
+++ b/lfs/apache2
@@ -25,7 +25,7 @@ 
 
 include Config
 
-VER        = 2.4.55
+VER        = 2.4.56
 
 THISAPP    = httpd-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -45,7 +45,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 98e9ec41aa3ccbbe533672ba6de8421e1f0cb5a4b4a06d0cf26c676945bcd5ebe66a1fd21d941ad8ff2c9183565ce542a5643730bbee5972934008652924945b
+$(DL_FILE)_BLAKE2 = f9aaf5038543aeec79d5b8615b1b2120fe321966280574c685070f2356f8f1dba1d55a9a25f46cb5ecdd6e3f03785fe7a4e1b965506896cb889720728aa18101
 
 install : $(TARGET)