Re: [PATCH] apache: Update to 2.4.62

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3136 bytes --]

Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>

On 18/07/2024 17:12, Matthias Fischer wrote:
> "All good things go by three..."
>
> For details see:
> https://dlcdn.apache.org/httpd/CHANGES_2.4.62
>
> "Changes with Apache 2.4.62
>
>    *) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
>       mod_rewrite in server/vhost context on Windows (cve.mitre.org)
>       SSRF in Apache HTTP Server on Windows with mod_rewrite in
>       server/vhost context, allows to potentially leak NTML hashes to
>       a malicious server via SSRF and malicious requests.
>       Users are recommended to upgrade to version 2.4.62 which fixes
>       this issue.
>       Credits: Smi1e (DBAPPSecurity Ltd.)
>
>    *) SECURITY: CVE-2024-40725: Apache HTTP Server: source code
>       disclosure with handlers configured via AddType (cve.mitre.org)
>       A partial fix for  CVE-2024-39884 in the core of Apache HTTP
>       Server 2.4.61 ignores some use of the legacy content-type based
>       configuration of handlers. "AddType" and similar configuration,
>       under some circumstances where files are requested indirectly,
>       result in source code disclosure of local content. For example,
>       PHP scripts may be served instead of interpreted.
>       Users are recommended to upgrade to version 2.4.62, which fixes
>       this issue.
>
>    *) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
>       "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
>       with BalancerMember(s).  PR 69168.  [Yann Ylavic]
>
>    *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs.
>       PR 69160 [Yann Ylavic]
>
>    *) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
>       [Joe Orton]
>
>    *) mod_ssl: Add support for loading certs/keys from pkcs11: URIs
>       via OpenSSL 3.x providers.  [Ingo Franzki <ifranzki linux.ibm.com>]
>
>    *) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0.
>       [Ruediger Pluem, Yann Ylavic]
>
>    *) mpm_worker: Fix possible warning (AH00045) about children processes not
>       terminating timely.  [Yann Ylavic]"
>
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>   lfs/apache2 | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/lfs/apache2 b/lfs/apache2
> index 2dfd8b39d..428ef3419 100644
> --- a/lfs/apache2
> +++ b/lfs/apache2
> @@ -25,7 +25,7 @@
>   
>   include Config
>   
> -VER        = 2.4.61
> +VER        = 2.4.62
>   
>   THISAPP    = httpd-$(VER)
>   DL_FILE    = $(THISAPP).tar.bz2
> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
>   
>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>   
> -$(DL_FILE)_BLAKE2 = 9299ef5843888829143732b3a60d1713aff688ed2f6c2b7f154be16bc075ec747a5b116716f188491ebc9947ff2dfe09dfc71f5245d98a4be3ba27ada28ec8a5
> +$(DL_FILE)_BLAKE2 = 0e5c3b05819771e6ff72933ad715695199a32c384f63de6598e179ff5803580f04639437829305150305c9a2b7d309178552d8c9a2d7248a034c98f445193b95
>   
>   install : $(TARGET)
>   

-- 
Sent from my laptop