From patchwork Fri Dec 5 21:21:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 9360 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4dNPSw1Ft0z3wkD for ; Fri, 05 Dec 2025 21:21:36 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4dNPSv5kqQz40w for ; Fri, 05 Dec 2025 21:21:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dNPSv50rhz30J3 for ; Fri, 05 Dec 2025 21:21:35 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dNPSb5mK1z2xQT for ; Fri, 05 Dec 2025 21:21:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4dNPSW59rvz3MH; Fri, 05 Dec 2025 21:21:15 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1764969675; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=w6wIktyf+F4sWRG6MRwjHAOrzPFu8nRERoZBNIbfyhQ=; b=6woQSEPazIEPUGnRWMQaI99a9bvi6faxSo/SFPW6kPUDuN5mVV5JXmQ79MkF0b3+KS2DJr lAQtJqIVW4B7MkAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1764969675; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=w6wIktyf+F4sWRG6MRwjHAOrzPFu8nRERoZBNIbfyhQ=; b=IEW+rzVyN4qogHncuWHb/ypVUtRdSOOxRahe4/JOm0qaq+2ISViMe76I7FiyI4AQncQ2+0 04p/T96wiMe0Poi5uxXb+79itqBCtaHjMMXt2YIvTxDNxhtp6haf79UffvDy8tT8IzzpNe UTXEGMxCJiylNTVYG4x22rYZ8AXotwMGUHZtgfCEsy7QKrvACu0iFoV58stG5LpZLCbKEj /yleR9HrRDhCqzFNtSI9DuGOvhiXe+81oywGVnqWnBlc4L3NGI9UuLFbDOLiEzgGqZUi6C o4zEQU4PpFZjAackfIy11XlftNgmmvtVVz5kQOCcioTN2+LbVgvPiIwatQhelw== From: Matthias Fischer To: development@lists.ipfire.org Cc: Matthias Fischer Subject: [PATCH] apache: Update to 2.4.66 Date: Fri, 5 Dec 2025 22:21:04 +0100 Message-ID: <20251205212106.3692161-1-matthias.fischer@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 For details see: https://dlcdn.apache.org/httpd/CHANGES_2.4.66 "Changes with Apache 2.4.66 *) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (cve.mitre.org) mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. Credits: Mattias Åsander (Umeå University) *) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment variable override (cve.mitre.org) Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue. Credits: Mattias Åsander (Umeå University) *) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF (cve.mitre.org) Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue. Credits: Orange Tsai (@orange_8361) from DEVCORE *) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (cve.mitre.org) Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. Credits: Anthony Parfenov (United Rentals, Inc.) *) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals (cve.mitre.org) An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. Credits: Aisle Research *) mod_http2: Fix handling of 304 responses from mod_cache. PR 69580. [Stefan Eissing] *) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of integers, used in push diaries and proxy window size calculations. PR69741 [Benjamin P. Kallus] *) mod_md: update to version 2.6.5 - New directive `MDInitialDelay`, controlling how longer to wait after a server restart before checking certificates for renewal. [Michael Kaufmann] - Hardening: when build with OpenSSL older than 1.0.2 or old libressl versions, the parsing of ASN.1 time strings did not do a length check. - Hardening: when reading back OCSP responses stored in the local JSON store, missing 'valid' key led to uninitialized values, resulting in wrong refresh behaviour. *) mod_md: update to version 2.6.6 - Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler] - Fix reuse of curl easy handles by resetting them. [Michael Kaufmann] *) mod_http2: update to version 2.0.35 New directive `H2MaxStreamErrors` to control how much bad behaviour by clients is tolerated before the connection is closed. [Stefan Eissing] * mod_proxy_http2: add support for ProxyErrorOverride directive. PR69771 *) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify the value set for the TCP_DEFER_ACCEPT socket option on listen sockets. [Ruediger Pluem] *) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual host compatibility policy. PR 69743. [Joe Orton] *) mod_md: update to version 2.6.2 - Fix error retry delay calculation to not already doubling the wait on the first error. *) mod_md: update to version 2.6.1 - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty traffic on errored renewals for the ACME CA. This leads to error retries of 30s, 1 minute, 2, 4, etc. up to daily attempts. - Checking that configuring `MDRetryDelay` will result in a positive duration. A delay of 0 is not accepted. - Fix a bug in checking Content-Type of responses from the ACME server. - Added ACME ARI support (rfc9773) to the module. Enabled by default. New directive "MDRenewViaARI on|off" for controlling this. - Removing tailscale support. It has not been working for a long time as the company decided to change their APIs. Away with the dead code, documentation and tests. - Fixed a compilation issue with pre-industrial versions of libcurl" Signed-off-by: Matthias Fischer --- config/rootfiles/common/apache2 | 3 +-- lfs/apache2 | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 7f02347a2..8bca87c3b 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -505,6 +505,7 @@ srv/web/ipfire/html/captive #srv/web/ipfire/manual/images/custom_errordocs.png #srv/web/ipfire/manual/images/down.gif #srv/web/ipfire/manual/images/favicon.ico +#srv/web/ipfire/manual/images/favicon.png #srv/web/ipfire/manual/images/feather.gif #srv/web/ipfire/manual/images/feather.png #srv/web/ipfire/manual/images/filter_arch.png @@ -1080,8 +1081,6 @@ srv/web/ipfire/html/captive #srv/web/ipfire/manual/mod/mod_systemd.html #srv/web/ipfire/manual/mod/mod_systemd.html.en #srv/web/ipfire/manual/mod/mod_systemd.html.fr.utf8 -#srv/web/ipfire/manual/mod/mod_tls.html -#srv/web/ipfire/manual/mod/mod_tls.html.en #srv/web/ipfire/manual/mod/mod_unique_id.html #srv/web/ipfire/manual/mod/mod_unique_id.html.en #srv/web/ipfire/manual/mod/mod_unique_id.html.fr.utf8 diff --git a/lfs/apache2 b/lfs/apache2 index 7287c997b..059d011c8 100644 --- a/lfs/apache2 +++ b/lfs/apache2 @@ -25,7 +25,7 @@ include Config -VER = 2.4.65 +VER = 2.4.66 THISAPP = httpd-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -45,7 +45,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 67da132d066e03690d3a3ead8a528ab020564699c82584adf5bc637e1bc6c1def6f08e7b8b7962115fcb5bab31be7c977442549096d171321f95f54796ece63a +$(DL_FILE)_BLAKE2 = 3e702c9eda81440733516b6fe26f44cd358c385203de5a674f65e3806b0204bae4eb845e3a9ab340b2d731f98c9a0e72f616dd3ad070421b31e7814bbfcd6469 install : $(TARGET)