Re: [PATCH] apache: Update to 2.4.58

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3385 bytes --]

Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>

On 19/10/2023 20:52, Matthias Fischer wrote:
> For details see:
> https://dlcdn.apache.org/httpd/CHANGES_2.4.58
>
> Excerpt from changelog:
> "Changes with Apache 2.4.58
>
>    *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
>       memory not reclaimed right away on RST (cve.mitre.org)
>       When a HTTP/2 stream was reset (RST frame) by a client, there
>       was a time window were the request's memory resources were not
>       reclaimed immediately. Instead, de-allocation was deferred to
>       connection close. A client could send new requests and resets,
>       keeping the connection busy and open and causing the memory
>       footprint to keep on growing. On connection close, all resources
>       were reclaimed, but the process might run out of memory before
>       that.
>       This was found by the reporter during testing of CVE-2023-44487
>       (HTTP/2 Rapid Reset Exploit) with their own test client. During
>       "normal" HTTP/2 use, the probability to hit this bug is very
>       low. The kept memory would not become noticeable before the
>       connection closes or times out.
>       Users are recommended to upgrade to version 2.4.58, which fixes
>       the issue.
>       Credits: Will Dormann of Vul Labs
>
>    *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
>       initial windows size 0 (cve.mitre.org)
>       An attacker, opening a HTTP/2 connection with an initial window
>       size of 0, was able to block handling of that connection
>       indefinitely in Apache HTTP Server. This could be used to
>       exhaust worker resources in the server, similar to the well
>       known "slow loris" attack pattern.
>       This has been fixed in version 2.4.58, so that such connection
>       are terminated properly after the configured connection timeout.
>       This issue affects Apache HTTP Server: from 2.4.55 through
>       2.4.57.
>       Users are recommended to upgrade to version 2.4.58, which fixes
>       the issue.
>       Credits: Prof. Sven Dietrich (City University of New York)
>
>    *) SECURITY: CVE-2023-31122: mod_macro buffer over-read
>       (cve.mitre.org)
>       Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
>       Server.This issue affects Apache HTTP Server: through 2.4.57.
>       Credits: David Shoon (github/davidshoon)"
>
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>   lfs/apache2 | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/lfs/apache2 b/lfs/apache2
> index 80462969b..9a0ad38a9 100644
> --- a/lfs/apache2
> +++ b/lfs/apache2
> @@ -25,7 +25,7 @@
>   
>   include Config
>   
> -VER        = 2.4.57
> +VER        = 2.4.58
>   
>   THISAPP    = httpd-$(VER)
>   DL_FILE    = $(THISAPP).tar.bz2
> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
>   
>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>   
> -$(DL_FILE)_BLAKE2 = b33b51a741acd308ef4d4bdd2444d43eca9db68676fa67ec907eeea7384554f3f9a5608fc43dcf5819498264bbe36f176f30be9809474307642b70720036b88c
> +$(DL_FILE)_BLAKE2 = 2105b8fada99f1dda55201ed89ed5326f0edb078d352cbff44f02cde80d129b65b63e07366a9a744ba474be5687fa8d3d2d8ddc64ac914b47166607f3f4a9de2
>   
>   install : $(TARGET)
>   

-- 
Sent from my laptop