Apache 2.4.56 Security und Bugfix Release

Apache2 Logo

Die Apache Software Foundation hat die neue Version 2.4.56 des beliebten HTTP Webserver Apache2 veröffentlicht. Das Release schließt Sicherheitslücken im mod_proxy_uwsgi, mod_proxy und mod_rewrite Modulen, führt Verbesserungen durch und behebt Fehler.

Apache 2.4.56 Release Notes

  • SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (cve.mitre.org) HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
  • SECURITY: CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy (cve.mitre.org) Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule “^/here/(.)” “
    http://example.com:8080/elsewhere?$1″
    http://example.com:8080/elsewhere ; [P]
    ProxyPassReverse /here/ http://example.com:8080/
    http://example.com:8080/
    Request splitting/smuggling could result in bypass of access
    controls in the proxy server, proxying unintended URLs to
    existing origin servers, and cache poisoning.
    Credits: Lars Krapf of Adobe
  • rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
    truncated without the initial logfile being truncated. [Eric Covener]
  • mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
    allow connections of any age to be reused. Up to now, a negative value
    was handled as an error when parsing the configuration file. PR 66421.
    [nailyk , Christophe Jaillet]
  • mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
    of headers. [Ruediger Pluem]
  • mod_md:
    – Enabling ED25519 support and certificate transparency information when
    building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
    – MDChallengeDns01 can now be configured for individual domains.
    Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
    – Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
    teardown not being invoked as it should.
    [Stefan Eissing]
  • mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
    reported in access logs and error documents. The processing of the
    reset was correct, only unneccesary reporting was caused.
    [Stefan Eissing]
  • mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
    [Yann Ylavic]

Quelle: https://dlcdn.apache.org/httpd/CHANGES_2.4.56

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert