Reviewed-by: Adolf Belka On 19/10/2023 20:52, Matthias Fischer wrote: > For details see: > https://dlcdn.apache.org/httpd/CHANGES_2.4.58 > > Excerpt from changelog: > "Changes with Apache 2.4.58 > > *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream > memory not reclaimed right away on RST (cve.mitre.org) > When a HTTP/2 stream was reset (RST frame) by a client, there > was a time window were the request's memory resources were not > reclaimed immediately. Instead, de-allocation was deferred to > connection close. A client could send new requests and resets, > keeping the connection busy and open and causing the memory > footprint to keep on growing. On connection close, all resources > were reclaimed, but the process might run out of memory before > that. > This was found by the reporter during testing of CVE-2023-44487 > (HTTP/2 Rapid Reset Exploit) with their own test client. During > "normal" HTTP/2 use, the probability to hit this bug is very > low. The kept memory would not become noticeable before the > connection closes or times out. > Users are recommended to upgrade to version 2.4.58, which fixes > the issue. > Credits: Will Dormann of Vul Labs > > *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with > initial windows size 0 (cve.mitre.org) > An attacker, opening a HTTP/2 connection with an initial window > size of 0, was able to block handling of that connection > indefinitely in Apache HTTP Server. This could be used to > exhaust worker resources in the server, similar to the well > known "slow loris" attack pattern. > This has been fixed in version 2.4.58, so that such connection > are terminated properly after the configured connection timeout. > This issue affects Apache HTTP Server: from 2.4.55 through > 2.4.57. > Users are recommended to upgrade to version 2.4.58, which fixes > the issue. > Credits: Prof. Sven Dietrich (City University of New York) > > *) SECURITY: CVE-2023-31122: mod_macro buffer over-read > (cve.mitre.org) > Out-of-bounds Read vulnerability in mod_macro of Apache HTTP > Server.This issue affects Apache HTTP Server: through 2.4.57. > Credits: David Shoon (github/davidshoon)" > > Signed-off-by: Matthias Fischer > --- > lfs/apache2 | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lfs/apache2 b/lfs/apache2 > index 80462969b..9a0ad38a9 100644 > --- a/lfs/apache2 > +++ b/lfs/apache2 > @@ -25,7 +25,7 @@ > > include Config > > -VER = 2.4.57 > +VER = 2.4.58 > > THISAPP = httpd-$(VER) > DL_FILE = $(THISAPP).tar.bz2 > @@ -45,7 +45,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = b33b51a741acd308ef4d4bdd2444d43eca9db68676fa67ec907eeea7384554f3f9a5608fc43dcf5819498264bbe36f176f30be9809474307642b70720036b88c > +$(DL_FILE)_BLAKE2 = 2105b8fada99f1dda55201ed89ed5326f0edb078d352cbff44f02cde80d129b65b63e07366a9a744ba474be5687fa8d3d2d8ddc64ac914b47166607f3f4a9de2 > > install : $(TARGET) > -- Sent from my laptop