From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] apache: Update to 2.4.52 Date: Sun, 26 Dec 2021 21:14:28 +0000 Message-ID: <95955b63-1003-1f08-5b66-5d753d8a5ecd@ipfire.org> In-Reply-To: <20211223163252.26494-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1931084712581227738==" List-Id: --===============1931084712581227738== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Peter M=C3=BCller > Signed-off-by: Matthias Fischer >=20 > For details see: > https://dlcdn.apache.org//httpd/CHANGES_2.4.52 >=20 > Excerpt from changelog: >=20 > ""Changes with Apache 2.4.52 >=20 > *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing > multipart content in mod_lua of Apache HTTP Server 2.4.51 and > earlier (cve.mitre.org) > A carefully crafted request body can cause a buffer overflow in > the mod_lua multipart parser (r:parsebody() called from Lua > scripts). > The Apache httpd team is not aware of an exploit for the > vulnerabilty though it might be possible to craft one. > This issue affects Apache HTTP Server 2.4.51 and earlier. > Credits: Chamal >=20 > *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in > forward proxy configurations in Apache HTTP Server 2.4.51 and > earlier (cve.mitre.org) > A crafted URI sent to httpd configured as a forward proxy > (ProxyRequests on) can cause a crash (NULL pointer dereference) > or, for configurations mixing forward and reverse proxy > declarations, can allow for requests to be directed to a > declared Unix Domain Socket endpoint (Server Side Request > Forgery). > This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 > (included). > Credits: =C3=A6=C2=BC=E2=80=9A=C3=A4=C2=BA=C2=AE=C3=A9=C2=BC > TengMA(@Te3t123) > ..." > --- > config/rootfiles/common/apache2 | 2 ++ > lfs/apache2 | 4 ++-- > 2 files changed, 4 insertions(+), 2 deletions(-) >=20 > diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apac= he2 > index 8442446df..b6e83ab9d 100644 > --- a/config/rootfiles/common/apache2 > +++ b/config/rootfiles/common/apache2 > @@ -1080,6 +1080,8 @@ srv/web/ipfire/html/captive > #srv/web/ipfire/manual/mod/mod_systemd.html > #srv/web/ipfire/manual/mod/mod_systemd.html.en > #srv/web/ipfire/manual/mod/mod_systemd.html.fr.utf8 > +#srv/web/ipfire/manual/mod/mod_tls.html > +#srv/web/ipfire/manual/mod/mod_tls.html.en > #srv/web/ipfire/manual/mod/mod_unique_id.html > #srv/web/ipfire/manual/mod/mod_unique_id.html.en > #srv/web/ipfire/manual/mod/mod_unique_id.html.fr.utf8 > diff --git a/lfs/apache2 b/lfs/apache2 > index b4064cee0..226058a22 100644 > --- a/lfs/apache2 > +++ b/lfs/apache2 > @@ -25,7 +25,7 @@ > =20 > include Config > =20 > -VER =3D 2.4.51 > +VER =3D 2.4.52 > =20 > THISAPP =3D httpd-$(VER) > DL_FILE =3D $(THISAPP).tar.bz2 > @@ -45,7 +45,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_MD5 =3D d2793fc1c8cb8ba355cee877d1f2d46d > +$(DL_FILE)_MD5 =3D a94ae42b84309d5ef6e613ae825b92fa > =20 > install : $(TARGET) > =20 >=20 --===============1931084712581227738==--