Quelle CHANGES
Sprache: unbekannt
|
|
-*- coding: utf-8 -*-
Changes with Apache 2.4.65
Changes with Apache 2.4.64
*) SECURITY: CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by
Memory Increase (cve.mitre.org)
Late Release of Memory after Effective Lifetime vulnerability in
Apache HTTP Server.
This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.
Users are recommended to upgrade to version 2.4.64, which fixes
the issue.
Credits: Gal Bar Nahum
*) SECURITY: CVE-2025-49812: Apache HTTP Server: mod_ssl TLS
upgrade attack (cve.mitre.org)
In some mod_ssl configurations on Apache HTTP Server versions
through to 2.4.63, an HTTP desynchronisation attack allows a
man-in-the-middle attacker to hijack an HTTP session via a TLS
upgrade.
Only configurations using "SSLEngine optional" to enable TLS
upgrades are affected. Users are recommended to upgrade to
version 2.4.64, which removes support for TLS upgrade.
Credits: Robert Merget (Technology Innovation Institute)
*) SECURITY: CVE-2025-49630: Apache HTTP Server: mod_proxy_http2
denial of service (cve.mitre.org)
In certain proxy configurations, a denial of service attack
against Apache HTTP Server versions 2.4.26 through to 2.4.63
can be triggered by untrusted clients causing an assertion in
mod_proxy_http2.
Configurations affected are a reverse proxy is configured for an
HTTP/2 backend, with ProxyPreserveHost set to "on".
Credits: Anthony CORSIEZ
*) SECURITY: CVE-2025-23048: Apache HTTP Server: mod_ssl access
control bypass with session resumption (cve.mitre.org)
In some mod_ssl configurations on Apache HTTP Server 2.4.35
through to 2.4.62, an access control bypass by trusted clients
is possible using TLS 1.3 session resumption.
Configurations are affected when mod_ssl is configured for
multiple virtual hosts, with each restricted to a different set
of trusted client certificates (for example with a different
SSLCACertificateFile/Path setting). In such a case, a client
trusted to access one virtual host may be able to access another
virtual host, if SSLStrictSNIVHostCheck is not enabled in either
virtual host.
Credits: Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy,
and Juraj Somorovsky at Paderborn University
*) SECURITY: CVE-2024-47252: Apache HTTP Server: mod_ssl error log
variable escaping (cve.mitre.org)
Insufficient escaping of user-supplied data in mod_ssl in Apache
HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS
client to insert escape characters into log files in some
configurations.
In a logging configuration where CustomLog is used with
"%{varname}x" or "%{varname}c" to log variables provided by
mod_ssl such as SSL_TLS_SNI, no escaping is performed by either
mod_log_config or mod_ssl and unsanitized data provided by the
client may appear in log files.
Credits: John Runyon
*) SECURITY: CVE-2024-43394: Apache HTTP Server: SSRF on Windows
due to UNC paths (cve.mitre.org)
Server-Side Request Forgery (SSRF) in Apache HTTP Server on
Windows allows to potentially leak NTLM hashes to a malicious
server via
mod_rewrite or apache expressions that pass unvalidated request
input.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.
Note: The Apache HTTP Server Project will be setting a higher
bar for accepting vulnerability reports regarding SSRF via UNC
paths.
The server offers limited protection against administrators
directing the server to open UNC paths.
Windows servers should limit the hosts they will connect over
via SMB based on the nature of NTLM authentication.
Credits: Kainan Zhang (@4xpl0r3r) from Fortinet
*) SECURITY: CVE-2024-43204: Apache HTTP Server: SSRF with
mod_headers setting Content-Type header (cve.mitre.org)
SSRF in Apache HTTP Server with mod_proxy loaded allows an
attacker to send outbound proxy requests to a URL controlled by
the attacker. Requires an unlikely configuration where
mod_headers is configured to modify the Content-Type request or
response header with a value provided in the HTTP request.
Users are recommended to upgrade to version 2.4.64 which fixes
this issue.
*) SECURITY: CVE-2024-42516: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
HTTP response splitting in the core of Apache HTTP Server allows
an attacker who can manipulate the Content-Type response headers
of applications hosted or proxied by the server can split the
HTTP response.
This vulnerability was described as CVE-2023-38709 but the patch
included in Apache HTTP Server 2.4.59 did not address the issue.
Users are recommended to upgrade to version 2.4.64, which fixes
this issue.
Credits: xiaojunjie@安恒信息杭州市滨江区技能大师工作室
*) mod_proxy_ajp: Use iobuffersize set on worker level for the IO buffer
size. PR 69402 [Jari Ahonen <jah@progress.com>]
*) mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5
builds which enable it in libssl natively. [Joe Orton]
*) mod_asis: Fix the log level of the message AH01236.
Github #527 [Michael Kaufmann <mail michael-kaufmann.ch>]
*) mod_session_dbd: ensure format used with SessionDBDCookieName and
SessionDBDCookieName2 are correct.
Github #503 [Thomas Meyer <thomas m3y3r.de>]
*) mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could
inadvertently modify the Content-Type _response_ header. Applies to
Content-Type only and likely to only affect static file responses.
[Eric Covener]
*) mod_ssl: Remove warning over potential uninitialised value
for ssl protocol prior to protocol selection.
[Graham Leggett]
*) mod_proxy: Reuse ProxyRemote connections when possible, like prior
to 2.4.59. [Jean-Frederic Clere, Yann Ylavic]
*) mod_systemd: Add systemd socket activation support. [Paul Querna,
Jan Kaluza, Lubos Uhliarik <luhliari redhat.com>, Joe Orton]
*) mod_systemd: Log the SELinux context at startup if available and
enabled. [Joe Orton]
*) mod_http2: update to version 2.0.32
The code setting the connection window size was set wrong,
preventing `H2WindowSize` to work.
Fixed <https://github.com/icing/mod_h2/issues/300>.
[Stefan Eissing, Michael Kaufmann]
*) mod_http2: update to version 2.0.30
- Fixed bug in handling over long response headers. When the 64 KB limit
of nghttp2 was exceeded, the request was not reset and the client was
left hanging, waiting for it. Now the stream is reset.
- Added new directive `H2MaxHeaderBlockLen` to set the limit on response
header sizes.
- Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
connection was reset.
*) mod_lua: Fix memory handling in LuaOutputFilter. PR 69590.
[Guillermo Grandes <guillermo.grandes gmail.com>]
* mod_proxy_http2: revert r1912193 for detecting broken backend connections
as this interferes with backend selection who a node is unresponsive.
PR69624.
*) mod_proxy_balancer: Fix a regression that caused stickysession keys no
longer be recognized if they are provided as query parameter in the URL.
PR 69443 [Ruediger Pluem]
*) mod_md: update to version 2.5.2
- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
with EC keys before RSA ones. Fixes #377. [Stefan Eissing]
- Fixed missing newlines in the status page output. [Andreas Groth]
*) mod_dav: Add API to expose DavBasePath setting. [Joe Orton]
*) mod_md: update to version 2.5.1
- Added support for ACME profiles with new directives MDProfile and
MDProfileMandatory.
- When installing a custom CA file via `MDCACertificateFile`, also set the
libcurl option CURLSSLOPT_NO_REVOKE that suppresses complains by Schannel
(when curl is linked with it) about missing CRL/OCSP in certificates.
- Fixed handling of corrupted httpd.json and added test 300_30 for it.
File is removed on error and written again. Fixes #369.
- Added explanation in log for how to proceed when md_store.json could not be
parsed and prevented the server start.
- restored fixed to #336 and #337 which got lost in a sync with Apache svn
- Add Issue Name/Uris to certificate information in md-status handler
- MDomains with static certificate files have MDRenewMode "manual", unless
"always" is configured.
*) core: Report invalid Options= argument when parsing AllowOverride
directives.
Github #310 [Zhou Qingyang <zhou1615 umn.edu>]
*) scoreboard/mod_http2: record durations of HTTP/2 requests.
PR 69579 [Pierre Brochard <pierre.brochard.1982@m4x.org>]
Changes with Apache 2.4.63
*) mod_dav: Update redirect-carefully example BrowserMatch config
to match more recent client versions. PR 66148, 67039.
[Michal Maloszewski <michal.maloszewski canonical.com>,
Romain Tartière <romain blogreen.org>]
*) mod_cache_socache: Fix possible crash on error path. PR 69358.
[Ruediger Pluem]
*) mod_ssl: Fail cleanly at startup if OpenSSL initialization fails.
[StephenWall]
*) mod_md: update to version 2.4.31
- Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
- Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
- Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.
*) mod_proxy_balancer: Fix the handling of the stickysession configuration
parameter by the balancer manager. PR 69510
[Yutaka Tokunou <tokunou.yutaka@fujitsu.com>]
*) Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.
Make sure that when ldap searches are too long, we explicitly log the
error. [Graham Leggett]
*) mod_proxy: Honor parameters of ProxyPassMatch workers with substitution
in the host name or port. PR 69233. [Yann Ylavic]
*) mod_log_config: Fix merging for the "LogFormat" directive.
PR 65222. [Michael Kaufmann <mail michael-kaufmann.ch>]
*) mod_lua: Make r.ap_auth_type writable. PR 62497.
[Michael Osipov <michaelo apache.org>]
*) mod_md: update to version 2.4.29
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
- Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.
*) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE
without "SSLCryptoDevice" configured. [Joe Orton]
*) mod_authnz_ldap: Fix possible memory corruption if the
AuthLDAPSubGroupAttribute directive is configured. [Joe Orton]
*) mod_proxy_fcgi: Don't re-encode SCRIPT_FILENAME when set via SetHandler.
PR 69203. [Yann Ylavic]
*) mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs,
including "unix:" ones. PR 69235, PR 69260. [Yann Ylavic, Ruediger Pluem]
*) mod_rewrite: Error out in case a RewriteRule in directory context uses the
proxy, but mod_proxy is not loaded. PR 56264.
[Christophe Jaillet, Michael Streeter <mstreeter1@gmail.com>]
*) http: Remove support for Request-Range header sent by Navigator 2-3 and
MSIE 3. [Stefan Fritsch]
*) mod_rewrite: Don't require [UNC] flag to preserve a leading //
added by applying the perdir prefix to the substitution.
[Ruediger Pluem, Eric Covener]
*) Windows: Restore the ability to "Include" configuration files on UNC
paths. PR 69313 [Eric Covener]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs
in <Location> (incomplete fix in 2.4.62). PR 69160. [Yann Ylavic]
*) mod_md: update to version 2.4.28
- When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in 'md/staging/<domain>' is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
- Fix certificate retrieval on ACME renewal to not require a 'Location:'
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let's Encrypt still supports this,
but other CAs do not. [icing]
- Restore compatibility with OpenSSL < 1.1. [ylavic]
*) mod_tls: removed the experimental module. It now is availble standalone
from https://github.com/icing/mod_tls. The rustls provided API is not
stable and does not align with the httpd release cycle.
[Stefan Eissing]
*) mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.
PR 69197. [Yann Ylavic, Eric Covener]
*) mod_http2: Return connection monitoring to the event MPM when blocking
on client updates. [Stefan Eissing, Yann Ylavic]
Changes with Apache 2.4.62
*) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
mod_rewrite in server/vhost context on Windows (cve.mitre.org)
SSRF in Apache HTTP Server on Windows with mod_rewrite in
server/vhost context, allows to potentially leak NTML hashes to
a malicious server via SSRF and malicious requests.
Users are recommended to upgrade to version 2.4.62 which fixes
this issue.
Credits: Smi1e (DBAPPSecurity Ltd.)
*) SECURITY: CVE-2024-40725: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
A partial fix for CVE-2024-39884 in the core of Apache HTTP
Server 2.4.61 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.62, which fixes
this issue.
*) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
"balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
with BalancerMember(s). PR 69168. [Yann Ylavic]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs.
PR 69160 [Yann Ylavic]
*) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
[Joe Orton]
*) mod_ssl: Add support for loading certs/keys from pkcs11: URIs
via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>]
*) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0.
[Ruediger Pluem, Yann Ylavic]
*) mpm_worker: Fix possible warning (AH00045) about children processes not
terminating timely. [Yann Ylavic]
Changes with Apache 2.4.61
*) SECURITY: CVE-2024-39884: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
A regression in the core of Apache HTTP Server 2.4.60 ignores
some use of the legacy content-type based configuration of
handlers. "AddType" and similar configuration, under some
circumstances where files are requested indirectly, result in
source code disclosure of local content. For example, PHP
scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.61, which fixes
this issue.
Changes with Apache 2.4.60
*) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
handler substitution (cve.mitre.org)
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and
earlier allows an attacker to cause unsafe RewriteRules to
unexpectedly setup URL's to be handled by mod_proxy.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
Denial of Service in mod_proxy via a malicious request
(cve.mitre.org)
null pointer dereference in mod_proxy in Apache HTTP Server
2.4.59 and earlier allows an attacker to crash the server via a
malicious request.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38476: Apache HTTP Server may use
exploitable/malicious backend application output to run local
handlers via internal redirect (cve.mitre.org)
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
are vulnerably to information disclosure, SSRF or local script
execution via backend applications whose response headers are
malicious or exploitable.
Note: Some legacy uses of the 'AddType' directive to connect a
request to a handler must be ported to 'AddHandler' after this fix.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
mod_rewrite when first segment of substitution matches
filesystem path. (cve.mitre.org)
Improper escaping of output in mod_rewrite in Apache HTTP Server
2.4.59 and earlier allows an attacker to map URLs to filesystem
locations that are permitted to be served by the server but are
not intentionally/directly reachable by any URL, resulting in
code execution or source code disclosure.
Substitutions in server context that use a backreferences or
variables as the first segment of the substitution are affected.
Some unsafe RewiteRules will be broken by this change and the
rewrite flag "UnsafePrefixStat" can be used to opt back in once
ensuring the substitution is appropriately constrained.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with
encoded question marks in backreferences (cve.mitre.org)
Substitution encoding issue in mod_rewrite in Apache HTTP Server
2.4.59 and earlier allows attacker to execute scripts in
directories permitted by the configuration but not directly
reachable by any URL or source disclosure of scripts meant to
only to be executed as CGI.
Note: Some RewriteRules that capture and substitute unsafely will now
fail unless rewrite flag "UnsafeAllow3F" is specified.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
problem (cve.mitre.org)
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and
earlier allows request URLs with incorrect encoding to be sent
to backend services, potentially bypassing authentication via
crafted requests.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF
(cve.mitre.org)
SSRF in Apache HTTP Server on Windows allows to potentially leak
NTML hashes to a malicious server via SSRF and malicious
requests or content
Note: Existing configurations that access UNC paths
will have to configure new directive "UNCList" to allow access
during request processing.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
pointer in websocket over HTTP/2 (cve.mitre.org)
Serving WebSocket protocol upgrades over a HTTP/2 connection
could result in a Null Pointer dereference, leading to a crash
of the server process, degrading performance.
Credits: Marc Stern (<marc.stern AT approach-cyber.com>)
*) mod_proxy: Fix DNS requests and connections closed before the
configured addressTTL. PR 69126. [Yann Ylavic]
*) core: On Linux, log the real thread ID in error logs. [Joe Orton]
*) core: Support zone/scope in IPv6 link-local addresses in Listen and
VirtualHost directives (requires APR 1.7.x or later). PR 59396
[Joe Orton]
*) mod_ssl: Reject client-initiated renegotiation with a TLS alert
(rather than connection closure). [Joe Orton, Yann Ylavic]
*) Updated mime.types. [Mohamed Akram <mohd.akram outlook.com>,
Adam Silverstein <adamsilverstein earthboundhosting.com>]
*) mod_ssl: Fix a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set. PR 68863 [Ruediger Pluem]
*) mod_cgid: Optional support for file descriptor passing, fixing
error log handling (configure --enable-cgid-fdpassing) on Unix
platforms. PR 54221. [Joe Orton]
*) mod_cgid/mod_cgi: Distinguish script stderr output clearly in
error logs. PR 61980. [Hank Ibell <hwibell gmail.com>]
*) mod_tls: update version of rustls-ffi to v0.13.0.
[Daniel McCarney (@cpu}]
*) mod_md:
- Using OCSP stapling information to trigger certificate renewals. Proposed
by @frasertweedale.
- Added directive `MDCheckInterval` to control how often the server checks
for detected revocations. Added proposals for configurations in the
README.md chapter "Revocations".
- OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
allowed in RFC 6960. Treat those as having an update interval of 12 hours.
Added by @frasertweedale.
- Adapt OpenSSL usage to changes in their API. By Yann Ylavic.
Changes with Apache 2.4.59
*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
memory exhaustion on endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)
*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
Splitting in multiple modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP
Server allows an attacker that can inject malicious response
headers into backend applications to cause an HTTP
desynchronization attack.
After this change, CGI-like scripts cannot set Transfer-Encoding
or Content-Length headers. To restore the ability to set Content-Length
header, set per-request environment variable 'ap_trust_cgilike_cl' to any
non-empty value.
Credits: Keran Mu, Tsinghua University and Zhongguancun
Laboratory.
*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
Faulty input validation in the core of Apache allows malicious
or exploitable backend/content generators to split HTTP
responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) mod_deflate: Fixes and better logging for handling various
error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
Eric Norris <enorris etsy.com>]
*) Add CGIScriptTimeout to mod_cgi. [Eric Covener]
*) mod_xml2enc: Tolerate libxml2 2.12.0 and later. PR 68610
[ttachi <tachihara AT hotmail.com>]
*) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
[Jean-Frederic Clere]
*) mod_ssl: Use OpenSSL-standard functions to assemble CA
name lists for SSLCACertificatePath/SSLCADNRequestPath.
Names will now be consistently sorted. PR 61574.
[Joe Orton]
*) mod_xml2enc: Update check to accept any text/ media type
or any XML media type per RFC 7303, avoiding
corruption of Microsoft OOXML formats. PR 64339.
[Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
<https://github.com/icing/mod_h2/issues/272>.
- Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
*) htcacheclean: In -a/-A mode, list all files per subdirectory
rather than only one. PR 65091.
[Artem Egorenkov <aegorenkov.91 gmail.com>]
*) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
which include CA certificates; those CA certs are treated as if
configured with SSLProxyMachineCertificateChainFile. [Joe Orton]
*) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
"hashing", rather than "encrypting" passwords.
[Michele Preziuso <mpreziuso kaosdynamics.com>]
*) mod_ssl: Fix build with LibreSSL 2.0.7+. PR 64047.
[Giovanni Bechis, Yann Ylavic]
*) htpasswd: Add support for passwords using SHA-2. [Joe Orton,
Yann Ylavic]
*) core: Allow mod_env to override system environment vars. [Joe Orton]
*) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
operation which removes a directory/file between apr_dir_read() and
apr_stat(). Current behaviour is to abort the connection which seems
inferior to tolerating (and logging) the error. [Joe Orton]
*) mod_ldap: HTML-escape data in the ldap-status handler.
[Eric Covener, Chamal De Silva]
*) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
notably with OpenSSL >= 3. PR 68080. [Yann Ylavic, Joe Orton]
*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
[Yann Ylavic]
*) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
*) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
some dollar substitution (backreference) happens in the hostname or port
part of the URL. [Yann Ylavic]
*) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
systems are cached. [Yann Ylavic]
*) mod_proxy: Add optional third argument for ProxyRemote, which
configures Basic authentication credentials to pass to the remote
proxy. PR 37355. [Joe Orton]
Changes with Apache 2.4.58
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST (cve.mitre.org)
When a HTTP/2 stream was reset (RST frame) by a client, there
was a time window were the request's memory resources were not
reclaimed immediately. Instead, de-allocation was deferred to
connection close. A client could send new requests and resets,
keeping the connection busy and open and causing the memory
footprint to keep on growing. On connection close, all resources
were reclaimed, but the process might run out of memory before
that.
This was found by the reporter during testing of CVE-2023-44487
(HTTP/2 Rapid Reset Exploit) with their own test client. During
"normal" HTTP/2 use, the probability to hit this bug is very
low. The kept memory would not become noticeable before the
connection closes or times out.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Will Dormann of Vul Labs
*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
initial windows size 0 (cve.mitre.org)
An attacker, opening a HTTP/2 connection with an initial window
size of 0, was able to block handling of that connection
indefinitely in Apache HTTP Server. This could be used to
exhaust worker resources in the server, similar to the well
known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection
are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through
2.4.57.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Prof. Sven Dietrich (City University of New York)
*) SECURITY: CVE-2023-31122: mod_macro buffer over-read
(cve.mitre.org)
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
Server.This issue affects Apache HTTP Server: through 2.4.57.
Credits: David Shoon (github/davidshoon)
*) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
SSL routines::unexpected eof while reading" when using
OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
available. [Rainer Jung]
*) mod_http2: improved early cleanup of streams.
[Stefan Eissing]
*) mod_proxy_http2: improved error handling on connection errors while
response is already underway.
[Stefan Eissing]
*) mod_http2: fixed a bug that could lead to a crash in main connection
output handling. This occured only when the last request on a HTTP/2
connection had been processed and the session decided to shut down.
This could lead to an attempt to send a final GOAWAY while the previous
write was still in progress. See PR 66646.
[Stefan Eissing]
*) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
Fixes PR66752.
[Stefan Eissing]
*) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as
described in RFC 8441. A new directive 'H2WebSockets on|off' has been
added. The feature is by default not enabled.
As also discussed in the manual, this feature should work for setups
using "ProxyPass backend-url upgrade=websocket" without further changes.
Special server modules for WebSockets will have to be adapted,
most likely, as the handling if IO events is different with HTTP/2.
HTTP/2 WebSockets are supported on platforms with native pipes. This
excludes Windows.
[Stefan Eissing]
*) mod_rewrite: Fix a regression with both a trailing ? and [QSA].
in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]
*) mod_http2: fixed a bug in flushing pending data on an already closed
connection that could lead to a busy loop, preventing the HTTP/2 session
to close down successfully. Fixed PR 66624.
[Stefan Eissing]
*) mod_http2: v2.0.15 with the following fixes and improvements
- New directive 'H2EarlyHint name value' to add headers to a response,
picked up already when a "103 Early Hints" response is sent. 'name' and
'value' must comply to the HTTP field restrictions.
This directive can be repeated several times and header fields of the
same names add. Sending a 'Link' header with 'preload' relation will
also cause a HTTP/2 PUSH if enabled and supported by the client.
- Fixed an issue where requests were not logged and accounted in a timely
fashion when the connection returns to "keepalive" handling, e.g. when
the request served was the last outstanding one.
This led to late appearance in access logs with wrong duration times
reported.
- Accurately report the bytes sent for a request in the '%O' Log format.
This addresses #203, a long outstanding issue where mod_h2 has reported
numbers over-eagerly from internal buffering and not what has actually
been placed on the connection.
The numbers are now the same with and without H2CopyFiles enabled.
[Stefan Eissing]
*) mod_proxy_http2: fix retry handling to not leak temporary errors.
On detecting that that an existing connection was shutdown by the other
side, a 503 response leaked even though the request was retried on a
fresh connection.
[Stefan Eissing]
*) mod_rewrite: Add server directory to include path as mod_rewrite requires
test_char.h. PR 66571 [Valeria Petrov <valeria.petrov@spinetix.com>]
*) mod_http2: new directive `H2ProxyRequests on|off` to enable handling
of HTTP/2 requests in a forward proxy configuration.
General forward proxying is enabled via `ProxyRequests`. If the
HTTP/2 protocol is also enabled for such a server/host, this new
directive is needed in addition.
[Stefan Eissing]
*) core: Updated conf/mime.types:
- .js moved from 'application/javascript' to 'text/javascript'
- .mjs was added as 'text/javascript'
- add .opus ('audio/ogg')
- add 'application/vnd.geogebra.slides'
- add WebAssembly MIME types and extension
[Mathias Bynens <@mathiasbynens> via PR 318,
Richard de Boer <richard tubul.net>, Dave Hodder <dmh dmh.org.uk>,
Zbynek Konecny <zbynek1729 gmail.com>]
*) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
connection when sending data on the frontend one. This caused crashes
or infinite loops in rare situations.
*) mod_proxy_http2: fixed a bug in retry/response handling that could lead
to wrong status codes or HTTP messages send at the end of response bodies
exceeding the announced content-length.
*) mod_proxy_http2: fix retry handling to not leak temporary errors.
On detecting that that an existing connection was shutdown by the other
side, a 503 response leaked even though the request was retried on a
fresh connection.
*) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
the wrong order when a bucket_beam was destroyed.
[Stefan Eissing]
*) mod_http2: avoid double chunked-encoding on internal redirects.
PR 66597 [Yann Ylavic, Stefan Eissing]
*) mod_http2: Fix reporting of `Total Accesses` in server-status to not count
HTTP/2 requests twice. Fixes PR 66801.
[Stefan Eissing]
*) mod_ssl: Fix handling of Certificate Revoked messages
in OCSP stapling. PR 66626. [<gmoniker gmail.com>]
*) mod_http2: fixed a bug in handling of stream timeouts.
[Stefan Eissing]
*) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
Checking in configure for proper version installed. Code
fixes for changed clienthello member name.
[Stefan Eissing]
*) mod_md:
- New directive `MDMatchNames all|servernames` to allow more control over how
MDomains are matched to VirtualHosts.
- New directive `MDChallengeDns01Version`. Setting this to `2` will provide
the command also with the challenge value on `teardown` invocation. In version
1, the default, only the `setup` invocation gets this parameter.
Refs #312. Thanks to @domrim for the idea.
- For Managed Domain in "manual" mode, the checks if all used ServerName and
ServerAlias are part of the MDomain now reports a warning instead of an error
(AH10040) when not all names are present.
- MDChallengeDns01 can now be configured for individual domains.
Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
*) mod_ldap: Avoid performance overhead of APR-util rebind cache for
OpenLDAP 2.2+. PR 64414. [Joe Orton]
*) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum
amount of response body bytes put into a single HTTP/2 DATA frame.
Setting this to 0 places no limit (but the max size allowed by the
protocol is observed).
The module, by default, tries to use the maximum size possible, which is
somewhat around 16KB. This sets the maximum. When less response data is
available, smaller frames will be sent.
*) mod_md: fixed passing of the server environment variables to programs
started via MDMessageCmd and MDChallengeDns01 on *nix system.
See <https://github.com/icing/mod_md/issues/319>.
[Stefan Eissing]
*) mod_dav: Add DavBasePath directive to configure the repository root
path. PR 35077. [Joe Orton]
*) mod_alias: Add AliasPreservePath directive to map the full
path after the alias in a location. [Graham Leggett]
*) mod_alias: Add RedirectRelative to allow relative redirect targets to be
issued as-is. [Eric Covener, Graham Leggett]
*) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make
sure that if the format is configured early enough it applies to every log
line. PR 62161. [Yann Ylavic]
*) mod_deflate: Add DeflateAlterETag to control how the ETag
is modified. The 'NoChange' parameter mimics 2.2.x behavior.
PR 45023, PR 39727. [Eric Covener]
*) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet]
*) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers".
Resolve inconsistency between the previous two occurrences by
counting workers in state SERVER_GRACEFUL no longer as busy,
but instead in a new counter "GracefulWorkers" (or on HTML
view as "workers gracefully restarting"). Also add the graceful
counter as a new column to the existing HTML per process table
for async MPMs. PR 63300. [Rainer Jung]
Changes with Apache 2.4.57
*) mod_proxy: Check before forwarding that a nocanon path has not been
rewritten with spaces during processing. [Yann Ylavic]
*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
double encode encoded slashes in the URL sent by the reverse proxy to the
backend. [Ruediger Pluem]
*) mod_http2: fixed a crash during connection termination. See PR 66539.
[Stefan Eissing]
*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
in a question mark. PR66547. [Eric Covener]
*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
characters on redirections without the "NE" flag.
[Yann Ylavic, Eric Covener]
*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
to the origin server, when using mapping=encoded|servlet. [Yann Ylavic]
*) mod_mime: Do not match the extention against possible query string
parameters in case ProxyPass was used with the nocanon option.
[Ruediger Pluem]
Changes with Apache 2.4.56
*) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
HTTP response splitting (cve.mitre.org)
HTTP Response Smuggling vulnerability in Apache HTTP Server via
mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
2.4.30 through 2.4.55.
Special characters in the origin response header can
truncate/split the response forwarded to the client.
Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
*) SECURITY: CVE-2023-25690: HTTP request splitting with
mod_rewrite and mod_proxy (cve.mitre.org)
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with
some form of RewriteRule or ProxyPassMatch in which a non-specific
pattern matches some portion of the user-supplied request-target (URL)
data and is then re-inserted into the proxied request-target
using variable substitution. For example, something like:
RewriteEngine on
RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
ProxyPassReverse /here/ http://example.com:8080/
Request splitting/smuggling could result in bypass of access
controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning.
Credits: Lars Krapf of Adobe
*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated. [Eric Covener]
*) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
allow connections of any age to be reused. Up to now, a negative value
was handled as an error when parsing the configuration file. PR 66421.
[nailyk <bzapache nailyk.fr>, Christophe Jaillet]
*) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
of headers. [Ruediger Pluem]
*) mod_md:
- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
- MDChallengeDns01 can now be configured for individual domains.
Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
[Stefan Eissing]
*) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
[Stefan Eissing]
*) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
[Yann Ylavic]
Changes with Apache 2.4.55
*) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
2.4.55 allows a backend to trigger HTTP response splitting
(cve.mitre.org)
Prior to Apache HTTP Server 2.4.55, a malicious backend can
cause the response headers to be truncated early, resulting in
some headers being incorporated into the response body. If the
later headers have any security purpose, they will not be
interpreted by the client.
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
*) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
Possible request smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it
forwards requests to. This issue affects Apache HTTP Server
Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
at Qi'anxin Group
*) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
of zero byte (cve.mitre.org)
A carefully crafted If: request header can cause a memory read,
or write of a single zero byte, in a pool (heap) memory location
beyond the header value sent. This could cause the process to
crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
*) mod_dav: Open the lock database read-only when possible.
PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
*) mod_proxy_http2: apply the standard httpd content type handling
to responses from the backend, as other proxy modules do. Fixes PR 66391.
Thanks to Jérôme Billiras for providing the patch.
[Stefan Eissing]
*) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
[Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
<alejandro.alvarez.ayllon cern.ch>]
*) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]
*) mod_http2: version 2.0.11 of the module, synchronizing changes
with the gitgub version. This is a partial rewrite of how connections
and streams are handled.
- an APR pollset and pipes (where supported) are used to monitor
the main connection and react to IO for request/response handling.
This replaces the stuttered timed waits of earlier versions.
- H2SerializeHeaders directive still exists, but has no longer an effect.
- Clients that seemingly misbehave still get less resources allocated,
but ongoing requests are no longer disrupted.
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
were overwritten instead of preserved. [PR by @daum3ns]
- A regression in v1.15.24 was fixed that could lead to httpd child
processes not being terminated on a graceful reload or when reaching
MaxConnectionsPerChild. When unprocessed h2 requests were queued at
the time, these could stall. See #212.
- Improved information displayed in 'server-status' for H2 connections when
Extended Status is enabled. Now one can see the last request that IO
operations happened on and transferred IO stats are updated as well.
- When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request. See PR65731 at
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
- :scheme pseudo-header values, not matching the
connection scheme, are forwarded via absolute uris to the
http protocol processing to preserve semantics of the request.
Checks on combinations of pseudo-headers values/absence
have been added as described in RFC 7540. Fixes #230.
- A bug that prevented trailers (e.g. HEADER frame at the end) to be
generated in certain cases was fixed. See #233 where it prevented
gRPC responses to be properly generated.
- Request and response header values are automatically stripped of leading
and trialing space/tab characters. This is equivalent behaviour to what
Apache httpd's http/1.1 parser does.
The checks for this in nghttp2 v1.50.0+ are disabled.
- Extensive testing in production done by Alessandro Bianchi (@alexskynet)
on the v2.0.x versions for stability. Many thanks!
*) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
request ':authority' is known. Improved test case that did not catch that
the previous 'fix' was incorrect.
*) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
*) mod_proxy: The AH03408 warning for a forcibly closed backend
connection is now logged at INFO level. [Yann Ylavic]
*) mod_ssl: When dumping the configuration, the existence of
certificate/key files is no longer tested. [Joe Orton]
*) mod_authn_core: Add expression support to AuthName and AuthType.
[Graham Leggett]
*) mod_ssl: when a proxy connection had handled a request using SSL, an
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error. Fixed PR66190.
[Stefan Eissing]
*) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
*) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
*) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
*) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
restarted at the same time. Store locks are not enabled by default.
Restored curl_easy cleanup behaviour from v2.4.14 and refactored
the use of curl_multi for OCSP requests to work with that.
Fixes <https://github.com/icing/mod_md/issues/293>.
*) core: Avoid an overflow on large inputs in ap_is_matchexp. PR 66033
[Ruediger Pluem]
*) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
storage instead of slotmem. Needed after setting
HeartbeatMaxServers default to the documented value 10 in 2.4.54.
PR 66131. [Jérôme Billiras]
*) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
This is a game changer for performances if client use PROPFIND a lot,
PR 66313. [Emmanuel Dreyfus]
Changes with Apache 2.4.54
*) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
hop-by-hop mechanism (cve.mitre.org)
Apache HTTP Server 2.4.53 and earlier may not send the
X-Forwarded-* headers to the origin server based on client side
Connection header hop-by-hop mechanism.
This may be used to bypass IP based authentication on the origin
server/application.
Credits: The Apache HTTP Server project would like to thank
Gaetan Ferry (Synacktiv) for reporting this issue
*) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
websockets (cve.mitre.org)
Apache HTTP Server 2.4.53 and earlier may return lengths to
applications calling r:wsread() that point past the end of the
storage allocated for the buffer.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
*) SECURITY: CVE-2022-30522: mod_sed denial of service
(cve.mitre.org)
If Apache HTTP Server 2.4.53 is configured to do transformations
with mod_sed in contexts where the input to mod_sed may be very
large, mod_sed may make excessively large memory allocations and
trigger an abort.
Credits: This issue was found by Brian Moussalli from the JFrog
Security Research team
*) SECURITY: CVE-2022-29404: Denial of service in mod_lua
r:parsebody (cve.mitre.org)
In Apache HTTP Server 2.4.53 and earlier, a malicious request to
a lua script that calls r:parsebody(0) may cause a denial of
service due to no default limit on possible input size.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
*) SECURITY: CVE-2022-28615: Read beyond bounds in
ap_strcmp_match() (cve.mitre.org)
Apache HTTP Server 2.4.53 and earlier may crash or disclose
information due to a read beyond bounds in ap_strcmp_match()
when provided with an extremely large input buffer. While no
code distributed with the server can be coerced into such a
call, third-party modules or lua scripts that use
ap_strcmp_match() may hypothetically be affected.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
*) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
(cve.mitre.org)
The ap_rwrite() function in Apache HTTP Server 2.4.53 and
earlier may read unintended memory if an attacker can cause the
server to reflect very large input using ap_rwrite() or
ap_rputs(), such as with mod_luas r:puts() function.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
*) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
(cve.mitre.org)
Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
bounds when configured to process requests with the mod_isapi
module.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
*) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it
forwards requests to. This issue affects Apache HTTP Server
Apache HTTP Server 2.4 version 2.4.53 and prior versions.
Credits: Ricter Z @ 360 Noah Lab
*) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.
[Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
PR 65666. [Yann Ylavic]
*) mod_md: a bug was fixed that caused very large MDomains
with the combined DNS names exceeding ~7k to fail, as
request bodies would contain partially wrong data from
uninitialized memory. This would have appeared as failure
in signing-up/renewing such configurations.
[Stefan Eissing, Ronald Crane (Zippenhop LLC)]
*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
PR 65666. [Yann Ylavic]
*) MPM event: Restart children processes killed before idle maintenance.
PR 65769. [Yann Ylavic, Ruediger Pluem]
*) ab: Allow for TLSv1.3 when the SSL library supports it.
[abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]
*) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
transmission delays. PR 66019. [Yann Ylavic]
*) MPM event: Fix accounting of active/total processes on ungraceful restart,
PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic]
*) core: make ap_escape_quotes() work correctly on strings
with more than MAX_INT/2 characters, counting quotes double.
Credit to <generalbugs@zippenhop.com> for finding this.
[Stefan Eissing]
*) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
an ACME CA. This gives a failover for renewals when several consecutive attempts
to get a certificate failed.
A new directive was added: `MDRetryDelay` sets the delay of retries.
A new directive was added: `MDRetryFailover` sets the number of errored
attempts before an alternate CA is selected for certificate renewals.
[Stefan Eissing]
*) mod_http2: remove unused and insecure code. Fixes PR66037.
Thanks to Ronald Crane (Zippenhop LLC) for reporting this.
[Stefan Eissing]
*) mod_proxy: Add backend port to log messages to
ease identification of involved service. [Rainer Jung]
*) mod_http2: removing unscheduling of ongoing tasks when
connection shows potential abuse by a client. This proved
counter-productive and the abuse detection can false flag
requests using server-side-events.
Fixes <https://github.com/icing/mod_h2/issues/231>.
[Stefan Eissing]
*) mod_md: Implement full auto status ("key: value" type status output).
Especially not only status summary counts for certificates and
OCSP stapling but also lists. Auto status format is similar to
what was used for mod_proxy_balancer.
[Rainer Jung]
*) mod_md: fixed a bug leading to failed transfers for OCSP
stapling information when more than 6 certificates needed
updates in the same run. [Stefan Eissing]
*) mod_proxy: Set a status code of 502 in case the backend just closed the
connection in reply to our forwarded request. [Ruediger Pluem]
*) mod_md: a possible NULL pointer deref was fixed in
the JSON code for persisting time periods (start+end).
Fixes #282 on mod_md's github.
Thanks to @marcstern for finding this. [Stefan Eissing]
*) mod_heartmonitor: Set the documented default value
"10" for HeartbeatMaxServers instead of "0". With "0"
no shared memory slotmem was initialized. [Rainer Jung]
*) mod_md: added support for managing certificates via a
local tailscale daemon for users of that secure networking.
This gives trusted certificates for tailscale assigned
domain names in the *.ts.net space.
[Stefan Eissing]
*) core: Change default value of LimitRequestBody from 0 (unlimited)
to 1GB. [Eric Covener]
Changes with Apache 2.4.53
*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
(cve.mitre.org)
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
Server allows an attacker to overwrite heap memory with possibly
attacker provided data.
This issue affects Apache HTTP Server 2.4 version 2.4.52 and
prior versions.
Credits: Ronald Crane (Zippenhop LLC)
*) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
very large or unlimited LimitXMLRequestBody (cve.mitre.org)
If LimitXMLRequestBody is set to allow request bodies larger
than 350MB (defaults to 1M) on 32 bit systems an integer
overflow happens which later causes out of bounds writes.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credits: Anonymous working with Trend Micro Zero Day Initiative
*) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
Apache HTTP Server 2.4.52 and earlier fails to close inbound
connection when errors are encountered discarding the request
body, exposing the server to HTTP Request Smuggling
Credits: James Kettle <james.kettle portswigger.net>
*) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
in r:parsebody (cve.mitre.org)
A carefully crafted request body can cause a read to a random
memory area which could cause the process to crash.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credits: Chamal De Silva
*) core: Make sure and check that LimitXMLRequestBody fits in system memory.
[Ruediger Pluem, Yann Ylavic]
*) core: Simpler connection close logic if discarding the request body fails.
[Yann Ylavic, Ruediger Pluem]
*) mod_http2: preserve the port number given in a HTTP/1.1
request that was Upgraded to HTTP/2. Fixes PR65881.
[Stefan Eissing]
*) mod_proxy: Allow for larger worker name. PR 53218. [Yann Ylavic]
*) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
an attempt to load a dbm driver fails, log clearly which driver triggered
the error (not "default"), and what the error was. [Graham Leggett]
*) mod_proxy: Use the maxium of front end and backend timeouts instead of the
minimum when tunneling requests (websockets, CONNECT requests).
Backend timeouts can be configured more selectively (per worker if needed)
as front end timeouts and typically the backend timeouts reflect the
application requirements better. PR 65886 [Ruediger Pluem]
*) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
when an efficient TLS implementation is available. [Yann Ylavic]
*) core, mod_info: Add compiled and loaded PCRE versions to version
number display. [Rainer Jung]
*) mod_md: do not interfere with requests to /.well-known/acme-challenge/
resources if challenge type 'http-01' is not configured for a domain.
Fixes <https://github.com/icing/mod_md/issues/279>.
[Stefan Eissing]
*) mod_dav: Fix regression when gathering properties which could lead to huge
memory consumption proportional to the number of resources.
[Evgeny Kotkov, Ruediger Pluem]
*) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
for regular expression evaluation. This depends on locating pcre2-config.
[William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung]
*) Add the ldap function to the expression API, allowing LDAP filters and
distinguished names based on expressions to be escaped correctly to
guard against LDAP injection. [Graham Leggett]
*) mod_md: the status description in MDomain's JSON, exposed in the
md-status handler (if configured) did sometimes not carry the correct
message when certificates needed renew.
[Stefan Eissing]
*) mpm_event: Fix a possible listener deadlock on heavy load when restarting
and/or reaching MaxConnectionsPerChild. PR 65769. [Yann Ylavic]
Changes with Apache 2.4.52
*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
multipart content in mod_lua of Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A carefully crafted request body can cause a buffer overflow in
the mod_lua multipart parser (r:parsebody() called from Lua
scripts).
The Apache httpd team is not aware of an exploit for the
vulnerability though it might be possible to craft one.
This issue affects Apache HTTP Server 2.4.51 and earlier.
Credits: Chamal
*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
forward proxy configurations in Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A crafted URI sent to httpd configured as a forward proxy
(ProxyRequests on) can cause a crash (NULL pointer dereference)
or, for configurations mixing forward and reverse proxy
declarations, can allow for requests to be directed to a
declared Unix Domain Socket endpoint (Server Side Request
Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
(included).
Credits: 漂亮鼠
TengMA(@Te3t123)
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications. [Ruediger Pluem, Yann Ylavic]
*) configure: OpenSSL detection will now use pkg-config data from
.../lib64/ within the --with-ssl path. [Jean-Frederic Clere]
*) mod_proxy_connect, mod_proxy: Do not change the status code after we
already sent it to the client. [Ruediger Pluem]
*) mod_http: Correctly sent a 100 Continue status code when sending an interim
response as result of an Expect: 100-Continue in the request and not the
current status code of the request. PR 65725 [Ruediger Pluem]
*) mod_dav: Some DAV extensions, like CalDAV, specify both document
elements and property elements that need to be taken into account
when generating a property. The document element and property element
are made available in the dav_liveprop_elem structure by calling
dav_get_liveprop_element(). [Graham Leggett]
*) mod_dav: Add utility functions dav_validate_root_ns(),
dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
dav_find_attr() so that other modules get to play too.
[Graham Leggett]
*) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
[Yann Ylavic, Ruediger Pluem]
*) mod_http2: fixes 2 regressions in server limit handling.
1. When reaching server limits, such as MaxRequestsPerChild, the
HTTP/2 connection send a GOAWAY frame much too early on new
connections, leading to invalid protocol state and a client
failing the request. See PR65731.
The module now initializes the HTTP/2 protocol correctly and
allows the client to submit one request before the shutdown
via a GOAWAY frame is being announced.
2. A regression in v1.15.24 was fixed that could lead to httpd
child processes not being terminated on a graceful reload or
when reaching MaxConnectionsPerChild. When unprocessed h2
requests were queued at the time, these could stall.
See <https://github.com/icing/mod_h2/issues/212>.
[Stefan Eissing]
*) mod_ssl: Add build support for OpenSSL v3. [Rainer Jung,
Stefan Fritsch, Yann Ylavic, Stefan Eissing, Joe Orton,
Giovanni Bechis]
*) mod_proxy_connect: Honor the smallest of the backend or client timeout
while tunneling. [Yann Ylavic]
*) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
half-close forwarding when tunneling protocols. [Yann Ylavic]
*) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
a third-party module. PR 65627.
[acmondor <bz.apache.org acmondor.ca>, Yann Ylavic]
*) mod_md: Fix memory leak in case of failures to load the private key.
PR 65620 [ Filipe Casal <filipe.casal@trailofbits.com> ]
*) mod_md: adding v2.4.8 with the following changes
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the response even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
--> --------------------
--> maximum size reached
--> --------------------
[ Dauer der Verarbeitung: 0.11 Sekunden
(vorverarbeitet)
]
|
2026-03-28
|
