From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] apache: Update to 2.4.62 Date: Fri, 19 Jul 2024 11:23:46 +0200 Message-ID: In-Reply-To: <20240718151255.3435592-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5910208866174525314==" List-Id: --===============5910208866174525314== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Adolf Belka On 18/07/2024 17:12, Matthias Fischer wrote: > "All good things go by three..." > > For details see: > https://dlcdn.apache.org/httpd/CHANGES_2.4.62 > > "Changes with Apache 2.4.62 > > *) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with > mod_rewrite in server/vhost context on Windows (cve.mitre.org) > SSRF in Apache HTTP Server on Windows with mod_rewrite in > server/vhost context, allows to potentially leak NTML hashes to > a malicious server via SSRF and malicious requests. > Users are recommended to upgrade to version 2.4.62 which fixes > this issue. > Credits: Smi1e (DBAPPSecurity Ltd.) > > *) SECURITY: CVE-2024-40725: Apache HTTP Server: source code > disclosure with handlers configured via AddType (cve.mitre.org) > A partial fix for CVE-2024-39884 in the core of Apache HTTP > Server 2.4.61 ignores some use of the legacy content-type based > configuration of handlers. "AddType" and similar configuration, > under some circumstances where files are requested indirectly, > result in source code disclosure of local content. For example, > PHP scripts may be served instead of interpreted. > Users are recommended to upgrade to version 2.4.62, which fixes > this issue. > > *) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME)= for > "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets > with BalancerMember(s). PR 69168. [Yann Ylavic] > > *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs. > PR 69160 [Yann Ylavic] > > *) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2. > [Joe Orton] > > *) mod_ssl: Add support for loading certs/keys from pkcs11: URIs > via OpenSSL 3.x providers. [Ingo Franzki ] > > *) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >=3D 3.0. > [Ruediger Pluem, Yann Ylavic] > > *) mpm_worker: Fix possible warning (AH00045) about children processes n= ot > terminating timely. [Yann Ylavic]" > > Signed-off-by: Matthias Fischer > --- > lfs/apache2 | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lfs/apache2 b/lfs/apache2 > index 2dfd8b39d..428ef3419 100644 > --- a/lfs/apache2 > +++ b/lfs/apache2 > @@ -25,7 +25,7 @@ > =20 > include Config > =20 > -VER =3D 2.4.61 > +VER =3D 2.4.62 > =20 > THISAPP =3D httpd-$(VER) > DL_FILE =3D $(THISAPP).tar.bz2 > @@ -45,7 +45,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_BLAKE2 =3D 9299ef5843888829143732b3a60d1713aff688ed2f6c2b7f154b= e16bc075ec747a5b116716f188491ebc9947ff2dfe09dfc71f5245d98a4be3ba27ada28ec8a5 > +$(DL_FILE)_BLAKE2 =3D 0e5c3b05819771e6ff72933ad715695199a32c384f63de6598e1= 79ff5803580f04639437829305150305c9a2b7d309178552d8c9a2d7248a034c98f445193b95 > =20 > install : $(TARGET) > =20 --=20 Sent from my laptop --===============5910208866174525314==--