From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] apache: Update to 2.4.58 Date: Thu, 19 Oct 2023 23:37:02 +0200 Message-ID: <86b51bb8-0ebe-4be1-8642-7413aad27a95@ipfire.org> In-Reply-To: <20231019185232.977-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7659280067272173182==" List-Id: --===============7659280067272173182== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Adolf Belka On 19/10/2023 20:52, Matthias Fischer wrote: > For details see: > https://dlcdn.apache.org/httpd/CHANGES_2.4.58 > > Excerpt from changelog: > "Changes with Apache 2.4.58 > > *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream > memory not reclaimed right away on RST (cve.mitre.org) > When a HTTP/2 stream was reset (RST frame) by a client, there > was a time window were the request's memory resources were not > reclaimed immediately. Instead, de-allocation was deferred to > connection close. A client could send new requests and resets, > keeping the connection busy and open and causing the memory > footprint to keep on growing. On connection close, all resources > were reclaimed, but the process might run out of memory before > that. > This was found by the reporter during testing of CVE-2023-44487 > (HTTP/2 Rapid Reset Exploit) with their own test client. During > "normal" HTTP/2 use, the probability to hit this bug is very > low. The kept memory would not become noticeable before the > connection closes or times out. > Users are recommended to upgrade to version 2.4.58, which fixes > the issue. > Credits: Will Dormann of Vul Labs > > *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with > initial windows size 0 (cve.mitre.org) > An attacker, opening a HTTP/2 connection with an initial window > size of 0, was able to block handling of that connection > indefinitely in Apache HTTP Server. This could be used to > exhaust worker resources in the server, similar to the well > known "slow loris" attack pattern. > This has been fixed in version 2.4.58, so that such connection > are terminated properly after the configured connection timeout. > This issue affects Apache HTTP Server: from 2.4.55 through > 2.4.57. > Users are recommended to upgrade to version 2.4.58, which fixes > the issue. > Credits: Prof. Sven Dietrich (City University of New York) > > *) SECURITY: CVE-2023-31122: mod_macro buffer over-read > (cve.mitre.org) > Out-of-bounds Read vulnerability in mod_macro of Apache HTTP > Server.This issue affects Apache HTTP Server: through 2.4.57. > Credits: David Shoon (github/davidshoon)" > > Signed-off-by: Matthias Fischer > --- > lfs/apache2 | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lfs/apache2 b/lfs/apache2 > index 80462969b..9a0ad38a9 100644 > --- a/lfs/apache2 > +++ b/lfs/apache2 > @@ -25,7 +25,7 @@ > =20 > include Config > =20 > -VER =3D 2.4.57 > +VER =3D 2.4.58 > =20 > THISAPP =3D httpd-$(VER) > DL_FILE =3D $(THISAPP).tar.bz2 > @@ -45,7 +45,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_BLAKE2 =3D b33b51a741acd308ef4d4bdd2444d43eca9db68676fa67ec907e= eea7384554f3f9a5608fc43dcf5819498264bbe36f176f30be9809474307642b70720036b88c > +$(DL_FILE)_BLAKE2 =3D 2105b8fada99f1dda55201ed89ed5326f0edb078d352cbff44f0= 2cde80d129b65b63e07366a9a744ba474be5687fa8d3d2d8ddc64ac914b47166607f3f4a9de2 > =20 > install : $(TARGET) > =20 --=20 Sent from my laptop --===============7659280067272173182==--