From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] apache: Update to 2.4.56 Date: Sat, 11 Mar 2023 16:15:45 +0000 Message-ID: <1a43eb5c-2c76-0122-3940-7e7778ee6e5f@ipfire.org> In-Reply-To: <20230309165925.22876-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2821569831090603422==" List-Id: --===============2821569831090603422== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Peter M=C3=BCller > For details see: > https://dlcdn.apache.org/httpd/CHANGES_2.4.56 >=20 > "Changes with Apache 2.4.56 >=20 > *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi > HTTP response splitting (cve.mitre.org) > HTTP Response Smuggling vulnerability in Apache HTTP Server via > mod_proxy_uwsgi. This issue affects Apache HTTP Server: from > 2.4.30 through 2.4.55. > Special characters in the origin response header can > truncate/split the response forwarded to the client. > Credits: Dimas Fariski Setyawan Putra (nyxsorcerer) >=20 > *) SECURITY: CVE-2023-25690: HTTP request splitting with > mod_rewrite and mod_proxy (cve.mitre.org) > Some mod_proxy configurations on Apache HTTP Server versions > 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. > Configurations are affected when mod_proxy is enabled along with > some form of RewriteRule > or ProxyPassMatch in which a non-specific pattern matches > some portion of the user-supplied request-target (URL) data and > is then > re-inserted into the proxied request-target using variable > substitution. For example, something like: > RewriteEngine on > RewriteRule "^/here/(.*)" " > http://example.com:8080/elsewhere?$1" > http://example.com:8080/elsewhere ; [P] > ProxyPassReverse /here/ http://example.com:8080/ > http://example.com:8080/ > Request splitting/smuggling could result in bypass of access > controls in the proxy server, proxying unintended URLs to > existing origin servers, and cache poisoning. > Credits: Lars Krapf of Adobe >=20 > *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be > truncated without the initial logfile being truncated. [Eric Covener] >=20 > *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order= to > allow connections of any age to be reused. Up to now, a negative value > was handled as an error when parsing the configuration file. PR 66421. > [nailyk , Christophe Jaillet] >=20 > *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid num= ber > of headers. [Ruediger Pluem] >=20 > *) mod_md: > - Enabling ED25519 support and certificate transparency information wh= en > building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis. > - MDChallengeDns01 can now be configured for individual domains. > Thanks to J=C3=83=C2=A9r=C3=83=C2=B4me Billiras (@bilhackmac) for th= e initial PR. > - Fixed a bug found by J=C3=83=C2=A9r=C3=83=C2=B4me Billiras (@bilhack= mac) that caused the challenge > teardown not being invoked as it should. > [Stefan Eissing] >=20 > *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors > reported in access logs and error documents. The processing of the > reset was correct, only unneccesary reporting was caused. > [Stefan Eissing] >=20 > *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation. > [Yann Ylavic]" >=20 > Signed-off-by: Matthias Fischer > --- > lfs/apache2 | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/lfs/apache2 b/lfs/apache2 > index 7e1ef7911..402aa8567 100644 > --- a/lfs/apache2 > +++ b/lfs/apache2 > @@ -25,7 +25,7 @@ > =20 > include Config > =20 > -VER =3D 2.4.55 > +VER =3D 2.4.56 > =20 > THISAPP =3D httpd-$(VER) > DL_FILE =3D $(THISAPP).tar.bz2 > @@ -45,7 +45,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_BLAKE2 =3D 98e9ec41aa3ccbbe533672ba6de8421e1f0cb5a4b4a06d0cf26c= 676945bcd5ebe66a1fd21d941ad8ff2c9183565ce542a5643730bbee5972934008652924945b > +$(DL_FILE)_BLAKE2 =3D f9aaf5038543aeec79d5b8615b1b2120fe321966280574c68507= 0f2356f8f1dba1d55a9a25f46cb5ecdd6e3f03785fe7a4e1b965506896cb889720728aa18101 > =20 > install : $(TARGET) > =20 --===============2821569831090603422==--