From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] apache: Update to 2.4.53 Date: Sat, 19 Mar 2022 22:58:44 +0100 Message-ID: <64cb6536-e7b8-a025-4841-c42e9a85c955@ipfire.org> In-Reply-To: <20220316160912.1569-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8013371007020035823==" List-Id: --===============8013371007020035823== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Adolf Belka On 16/03/2022 17:09, Matthias Fischer wrote: > For details see: > https://dlcdn.apache.org/httpd/CHANGES_2.4.53 > > Short summary of the most important SECURITY changes: > > "Changes with Apache 2.4.53 > > *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds > (cve.mitre.org) > Out-of-bounds Write vulnerability in mod_sed of Apache HTTP > Server allows an attacker to overwrite heap memory with possibly > attacker provided data. > This issue affects Apache HTTP Server 2.4 version 2.4.52 and > prior versions. > Credits: Ronald Crane (Zippenhop LLC) > > *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with > very large or unlimited LimitXMLRequestBody (cve.mitre.org) > If LimitXMLRequestBody is set to allow request bodies larger > than 350MB (defaults to 1M) on 32 bit systems an integer > overflow happens which later causes out of bounds writes. > This issue affects Apache HTTP Server 2.4.52 and earlier. > Credits: Anonymous working with Trend Micro Zero Day Initiative > > *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability > in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org) > Apache HTTP Server 2.4.52 and earlier fails to close inbound > connection when errors are encountered discarding the request > body, exposing the server to HTTP Request Smuggling > Credits: James Kettle > > *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of > in r:parsebody (cve.mitre.org) > A carefully crafted request body can cause a read to a random > memory area which could cause the process to crash. > This issue affects Apache HTTP Server 2.4.52 and earlier. > Credits: Chamal De Silva > ..." > > Signed-off-by: Matthias Fischer > --- > lfs/apache2 | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/lfs/apache2 b/lfs/apache2 > index 226058a22..6771ff903 100644 > --- a/lfs/apache2 > +++ b/lfs/apache2 > @@ -1,7 +1,7 @@ > #########################################################################= ###### > # = # > # IPFire.org - A linux based firewall = # > -# Copyright (C) 2007-2021 IPFire Team = # > +# Copyright (C) 2007-2022 IPFire Team = # > # = # > # This program is free software: you can redistribute it and/or modify = # > # it under the terms of the GNU General Public License as published by = # > @@ -25,7 +25,7 @@ > =20 > include Config > =20 > -VER =3D 2.4.52 > +VER =3D 2.4.53 > =20 > THISAPP =3D httpd-$(VER) > DL_FILE =3D $(THISAPP).tar.bz2 > @@ -45,7 +45,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_MD5 =3D a94ae42b84309d5ef6e613ae825b92fa > +$(DL_FILE)_MD5 =3D f594f137137b5bdff3998dc17e3e9526 > =20 > install : $(TARGET) > =20 --===============8013371007020035823==--