[PATCH] apache: Update to 2.4.52

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

* [PATCH] apache: Update to 2.4.52
@ 2021-12-23 16:32 Matthias Fischer
  2021-12-24 11:30 ` Michael Tremer
  2021-12-26 21:14 ` Peter Müller
  0 siblings, 2 replies; 3+ messages in thread
From: Matthias Fischer @ 2021-12-23 16:32 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2569 bytes --]

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>

For details see:
https://dlcdn.apache.org//httpd/CHANGES_2.4.52

Excerpt from changelog:

""Changes with Apache 2.4.52

  *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.
     Credits: Chamal

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).
     Credits: æ¼‚äº®é¼
     TengMA(@Te3t123)
..."
---
 config/rootfiles/common/apache2 | 2 ++
 lfs/apache2                     | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2
index 8442446df..b6e83ab9d 100644
--- a/config/rootfiles/common/apache2
+++ b/config/rootfiles/common/apache2
@@ -1080,6 +1080,8 @@ srv/web/ipfire/html/captive
 #srv/web/ipfire/manual/mod/mod_systemd.html
 #srv/web/ipfire/manual/mod/mod_systemd.html.en
 #srv/web/ipfire/manual/mod/mod_systemd.html.fr.utf8
+#srv/web/ipfire/manual/mod/mod_tls.html
+#srv/web/ipfire/manual/mod/mod_tls.html.en
 #srv/web/ipfire/manual/mod/mod_unique_id.html
 #srv/web/ipfire/manual/mod/mod_unique_id.html.en
 #srv/web/ipfire/manual/mod/mod_unique_id.html.fr.utf8
diff --git a/lfs/apache2 b/lfs/apache2
index b4064cee0..226058a22 100644
--- a/lfs/apache2
+++ b/lfs/apache2
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 2.4.51
+VER        = 2.4.52
 
 THISAPP    = httpd-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -45,7 +45,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = d2793fc1c8cb8ba355cee877d1f2d46d
+$(DL_FILE)_MD5 = a94ae42b84309d5ef6e613ae825b92fa
 
 install : $(TARGET)
 
-- 
2.18.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] apache: Update to 2.4.52
  2021-12-23 16:32 [PATCH] apache: Update to 2.4.52 Matthias Fischer
@ 2021-12-24 11:30 ` Michael Tremer
  2021-12-26 21:14 ` Peter Müller
  1 sibling, 0 replies; 3+ messages in thread
From: Michael Tremer @ 2021-12-24 11:30 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2908 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 23 Dec 2021, at 17:32, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> 
> For details see:
> https://dlcdn.apache.org//httpd/CHANGES_2.4.52
> 
> Excerpt from changelog:
> 
> ""Changes with Apache 2.4.52
> 
>  *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
>     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
>     earlier (cve.mitre.org)
>     A carefully crafted request body can cause a buffer overflow in
>     the mod_lua multipart parser (r:parsebody() called from Lua
>     scripts).
>     The Apache httpd team is not aware of an exploit for the
>     vulnerabilty though it might be possible to craft one.
>     This issue affects Apache HTTP Server 2.4.51 and earlier.
>     Credits: Chamal
> 
>  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
>     forward proxy configurations in Apache HTTP Server 2.4.51 and
>     earlier (cve.mitre.org)
>     A crafted URI sent to httpd configured as a forward proxy
>     (ProxyRequests on) can cause a crash (NULL pointer dereference)
>     or, for configurations mixing forward and reverse proxy
>     declarations, can allow for requests to be directed to a
>     declared Unix Domain Socket endpoint (Server Side Request
>     Forgery).
>     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
>     (included).
>     Credits: æ¼‚äº®é¼
>     TengMA(@Te3t123)
> ..."
> ---
> config/rootfiles/common/apache2 | 2 ++
> lfs/apache2                     | 4 ++--
> 2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2
> index 8442446df..b6e83ab9d 100644
> --- a/config/rootfiles/common/apache2
> +++ b/config/rootfiles/common/apache2
> @@ -1080,6 +1080,8 @@ srv/web/ipfire/html/captive
> #srv/web/ipfire/manual/mod/mod_systemd.html
> #srv/web/ipfire/manual/mod/mod_systemd.html.en
> #srv/web/ipfire/manual/mod/mod_systemd.html.fr.utf8
> +#srv/web/ipfire/manual/mod/mod_tls.html
> +#srv/web/ipfire/manual/mod/mod_tls.html.en
> #srv/web/ipfire/manual/mod/mod_unique_id.html
> #srv/web/ipfire/manual/mod/mod_unique_id.html.en
> #srv/web/ipfire/manual/mod/mod_unique_id.html.fr.utf8
> diff --git a/lfs/apache2 b/lfs/apache2
> index b4064cee0..226058a22 100644
> --- a/lfs/apache2
> +++ b/lfs/apache2
> @@ -25,7 +25,7 @@
> 
> include Config
> 
> -VER        = 2.4.51
> +VER        = 2.4.52
> 
> THISAPP    = httpd-$(VER)
> DL_FILE    = $(THISAPP).tar.bz2
> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_MD5 = d2793fc1c8cb8ba355cee877d1f2d46d
> +$(DL_FILE)_MD5 = a94ae42b84309d5ef6e613ae825b92fa
> 
> install : $(TARGET)
> 
> -- 
> 2.18.0
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] apache: Update to 2.4.52
  2021-12-23 16:32 [PATCH] apache: Update to 2.4.52 Matthias Fischer
  2021-12-24 11:30 ` Michael Tremer
@ 2021-12-26 21:14 ` Peter Müller
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Müller @ 2021-12-26 21:14 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2888 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>


> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> 
> For details see:
> https://dlcdn.apache.org//httpd/CHANGES_2.4.52
> 
> Excerpt from changelog:
> 
> ""Changes with Apache 2.4.52
> 
>    *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
>       multipart content in mod_lua of Apache HTTP Server 2.4.51 and
>       earlier (cve.mitre.org)
>       A carefully crafted request body can cause a buffer overflow in
>       the mod_lua multipart parser (r:parsebody() called from Lua
>       scripts).
>       The Apache httpd team is not aware of an exploit for the
>       vulnerabilty though it might be possible to craft one.
>       This issue affects Apache HTTP Server 2.4.51 and earlier.
>       Credits: Chamal
> 
>    *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
>       forward proxy configurations in Apache HTTP Server 2.4.51 and
>       earlier (cve.mitre.org)
>       A crafted URI sent to httpd configured as a forward proxy
>       (ProxyRequests on) can cause a crash (NULL pointer dereference)
>       or, for configurations mixing forward and reverse proxy
>       declarations, can allow for requests to be directed to a
>       declared Unix Domain Socket endpoint (Server Side Request
>       Forgery).
>       This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
>       (included).
>       Credits: æ¼‚äº®é¼
>       TengMA(@Te3t123)
> ..."
> ---
>   config/rootfiles/common/apache2 | 2 ++
>   lfs/apache2                     | 4 ++--
>   2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2
> index 8442446df..b6e83ab9d 100644
> --- a/config/rootfiles/common/apache2
> +++ b/config/rootfiles/common/apache2
> @@ -1080,6 +1080,8 @@ srv/web/ipfire/html/captive
>   #srv/web/ipfire/manual/mod/mod_systemd.html
>   #srv/web/ipfire/manual/mod/mod_systemd.html.en
>   #srv/web/ipfire/manual/mod/mod_systemd.html.fr.utf8
> +#srv/web/ipfire/manual/mod/mod_tls.html
> +#srv/web/ipfire/manual/mod/mod_tls.html.en
>   #srv/web/ipfire/manual/mod/mod_unique_id.html
>   #srv/web/ipfire/manual/mod/mod_unique_id.html.en
>   #srv/web/ipfire/manual/mod/mod_unique_id.html.fr.utf8
> diff --git a/lfs/apache2 b/lfs/apache2
> index b4064cee0..226058a22 100644
> --- a/lfs/apache2
> +++ b/lfs/apache2
> @@ -25,7 +25,7 @@
>   
>   include Config
>   
> -VER        = 2.4.51
> +VER        = 2.4.52
>   
>   THISAPP    = httpd-$(VER)
>   DL_FILE    = $(THISAPP).tar.bz2
> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
>   
>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>   
> -$(DL_FILE)_MD5 = d2793fc1c8cb8ba355cee877d1f2d46d
> +$(DL_FILE)_MD5 = a94ae42b84309d5ef6e613ae825b92fa
>   
>   install : $(TARGET)
>   
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-12-26 21:14 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-23 16:32 [PATCH] apache: Update to 2.4.52 Matthias Fischer
2021-12-24 11:30 ` Michael Tremer
2021-12-26 21:14 ` Peter Müller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox