Re: [PATCH] apache: Update to 2.4.53

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3330 bytes --]

Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>

On 16/03/2022 17:09, Matthias Fischer wrote:
> For details see:
> https://dlcdn.apache.org/httpd/CHANGES_2.4.53
>
> Short summary of the most important SECURITY changes:
>
> "Changes with Apache 2.4.53
>
>    *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
>       (cve.mitre.org)
>       Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
>       Server allows an attacker to overwrite heap memory with possibly
>       attacker provided data.
>       This issue affects Apache HTTP Server 2.4 version 2.4.52 and
>       prior versions.
>       Credits: Ronald Crane (Zippenhop LLC)
>
>    *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
>       very large or unlimited LimitXMLRequestBody (cve.mitre.org)
>       If LimitXMLRequestBody is set to allow request bodies larger
>       than 350MB (defaults to 1M) on 32 bit systems an integer
>       overflow happens which later causes out of bounds writes.
>       This issue affects Apache HTTP Server 2.4.52 and earlier.
>       Credits: Anonymous working with Trend Micro Zero Day Initiative
>
>    *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
>       in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
>       Apache HTTP Server 2.4.52 and earlier fails to close inbound
>       connection when errors are encountered discarding the request
>       body, exposing the server to HTTP Request Smuggling
>       Credits: James Kettle <james.kettle portswigger.net>
>
>    *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
>       in r:parsebody (cve.mitre.org)
>       A carefully crafted request body can cause a read to a random
>       memory area which could cause the process to crash.
>       This issue affects Apache HTTP Server 2.4.52 and earlier.
>       Credits: Chamal De Silva
>       ..."
>
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>   lfs/apache2 | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lfs/apache2 b/lfs/apache2
> index 226058a22..6771ff903 100644
> --- a/lfs/apache2
> +++ b/lfs/apache2
> @@ -1,7 +1,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
> +# Copyright (C) 2007-2022  IPFire Team  <info(a)ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -25,7 +25,7 @@
>   
>   include Config
>   
> -VER        = 2.4.52
> +VER        = 2.4.53
>   
>   THISAPP    = httpd-$(VER)
>   DL_FILE    = $(THISAPP).tar.bz2
> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
>   
>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>   
> -$(DL_FILE)_MD5 = a94ae42b84309d5ef6e613ae825b92fa
> +$(DL_FILE)_MD5 = f594f137137b5bdff3998dc17e3e9526
>   
>   install : $(TARGET)
>