From patchwork Mon May 4 20:05:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 9807 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4g8XhZ4BcCz3wkB for ; Mon, 04 May 2026 20:06:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4g8XhZ20fdz5tY for ; Mon, 04 May 2026 20:06:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4g8XhZ1G7Xz32WX for ; Mon, 04 May 2026 20:06:06 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4g8XhW4rRmz2xLw for ; Mon, 04 May 2026 20:06:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4g8XhW09T9z2hb; Mon, 04 May 2026 20:06:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1777925163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KHNn6RHsKlrgxDdWoQoXCBXMggTBS74YGCWB8Fuc2ig=; b=gaW6qhCtNKak2VkOOg1RYsQKOJH4s+ng/K60t6C6mu7J7zz8My5M/X20JoXbM6JYgjwWg0 9qG7Tnji16ddn2RFP0ihpHKxDezZiTEP5ri5JWXzhV0dIPIqiAa+nbzeohekiCJnbv06a0 T0fMzSBm8NerTNgo/j0yljOYkrYFVGlYJb4fCzSsG7UJ/KwznLebDcNfNegOXyMmFGKGq7 zlp0LOounMc0L+msu5AQOBWKj9O6B4/ytLP4yvibKqHNa2sxPWdDjIAxpuTAl7d1w028kC r23tJkOeXlUy+DomDRD7pBTZYxa3R+ah3RZBmc2XRt8gBOu3aOmak6kXqyhVCA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1777925163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KHNn6RHsKlrgxDdWoQoXCBXMggTBS74YGCWB8Fuc2ig=; b=rNzbnJWC6VHab/NDUOyYzO7YqrSWtPaL3Z1c8DtoWZan7usGnAhO1+FFP96qwisZzSCIN/ yk+WUMJLCVK11fBg== From: Matthias Fischer To: development@lists.ipfire.org Cc: Matthias Fischer Subject: [PATCH] apache: Update to 2.4.67 Date: Mon, 4 May 2026 22:05:52 +0200 Message-ID: <20260504200553.3026-1-matthias.fischer@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 For details see: https://dlcdn.apache.org/httpd/CHANGES_2.4.67 "Changes with Apache 2.4.67 *) SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data() (cve.mitre.org) Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Elhanan Haenel *) SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) (cve.mitre.org) Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Tianshuo Han () *) SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions (cve.mitre.org) Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Elhanan Haenel *) SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line (cve.mitre.org) HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Haruki Oyama (Waseda University) *) SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash (cve.mitre.org) A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credits: Pavel Kohout, Aisle Research, Aisle.com *) SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack (cve.mitre.org) A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credits: Nitescu Lucian *) SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash (cve.mitre.org) A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. Credits: Pavel Kohout, Aisle Research, Aisle.com *) SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP response (cve.mitre.org) Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Pavel Kohout, Aisle Research, Aisle.com *) SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() (cve.mitre.org) Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Andrew Lacambra *) SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr (cve.mitre.org) An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credits: y7syeu *) SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset (cve.mitre.org) Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credits: Bartlomiej Dmitruk, striga.ai *) mod_md: update to version 2.6.10 - Fix issue #420 by ignoring job.json files that claim to have completely finished a certificate renewal, but have not produced the necessary result files. *) mod_http2: update to version 2.0.39 Remove streams own memory allocator after reports of memory problems with third party modules. [Stefan Eissing] *) mod_http2: update to version 2.0.38 Source sync with mod_h2 github repository. No functional change. [Stefan Eissing] *) Updated conf/mime.types: added vnd.sqlite3, HEIC, HEIF [Alexandru Mărășteanu ] *) mod_md: update to version 2.6.7 - Fix a regression in `MDStapleOthers` which broke in v2.6.0 and no longer applied, no matter the configuration. *) mod_md: update to version 2.6.9 - Pebble 2.9+ reports another error when terms of service agreement is not set. Treating all "userActionRequired" errors as permanent now. *) mod_md: update to version 2.6.8 - Fix the ARI related `replaces` property in ACME order creation to only be used when the CA supports ARI and it is enabled in the menu config. - Fix compatibility with APR versions before 1.6.0 which do not have `apr_cstr_casecmp` and should use `apr_strnatcasecmp` instead. *) mod_http2: update to version 2.0.37 Prevent double purge of a stream, resulting in a double free. Fixes PR 69899. [Stefan Eissing] *) mod_md: Use correct function name when compiling against APR < 1.6.0. PR 69954 [Tần Quảng ]" Signed-off-by: Matthias Fischer --- config/rootfiles/common/apache2 | 6 ++---- lfs/apache2 | 6 +++--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 8bca87c3b..2f31ba756 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -371,6 +371,8 @@ srv/web/ipfire/html/captive #srv/web/ipfire/manual/developer/index.html #srv/web/ipfire/manual/developer/index.html.en #srv/web/ipfire/manual/developer/index.html.zh-cn.utf8 +#srv/web/ipfire/manual/developer/mod_example_1.c +#srv/web/ipfire/manual/developer/mod_example_2.c #srv/web/ipfire/manual/developer/modguide.html #srv/web/ipfire/manual/developer/modguide.html.en #srv/web/ipfire/manual/developer/modules.html @@ -1201,10 +1203,6 @@ srv/web/ipfire/html/captive #srv/web/ipfire/manual/platform/netware.html.en #srv/web/ipfire/manual/platform/netware.html.fr.utf8 #srv/web/ipfire/manual/platform/netware.html.ko.euc-kr -#srv/web/ipfire/manual/platform/perf-hp.html -#srv/web/ipfire/manual/platform/perf-hp.html.en -#srv/web/ipfire/manual/platform/perf-hp.html.fr.utf8 -#srv/web/ipfire/manual/platform/perf-hp.html.ko.euc-kr #srv/web/ipfire/manual/platform/rpm.html #srv/web/ipfire/manual/platform/rpm.html.en #srv/web/ipfire/manual/platform/rpm.html.fr.utf8 diff --git a/lfs/apache2 b/lfs/apache2 index 059d011c8..a0c8bcaaa 100644 --- a/lfs/apache2 +++ b/lfs/apache2 @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2025 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,7 +25,7 @@ include Config -VER = 2.4.66 +VER = 2.4.67 THISAPP = httpd-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -45,7 +45,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 3e702c9eda81440733516b6fe26f44cd358c385203de5a674f65e3806b0204bae4eb845e3a9ab340b2d731f98c9a0e72f616dd3ad070421b31e7814bbfcd6469 +$(DL_FILE)_BLAKE2 = c7f389588b8081080bf81b2f2ffcc585742811a5c7ddc3b63838bb8aad61586e7b8e8854cdb20b56963cc70a952124849b499a7affbf2bad44162f236bb5fbed install : $(TARGET)