Menü Schließen

Apache 2.4.56 Security und Bugfix Release

Apache2 Logo

Die Apache Software Foundation hat die neue Version 2.4.56 des beliebten HTTP Webserver Apache2 veröffentlicht. Das Release schließt Sicherheitslücken im mod_proxy_uwsgi, mod_proxy und mod_rewrite Modulen, führt Verbesserungen durch und behebt Fehler.

Apache 2.4.56 Release Notes

  • SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting ( HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
  • SECURITY: CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy ( Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule “^/here/(.)” “$1″ ; [P]
    ProxyPassReverse /here/
    Request splitting/smuggling could result in bypass of access
    controls in the proxy server, proxying unintended URLs to
    existing origin servers, and cache poisoning.
    Credits: Lars Krapf of Adobe
  • rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
    truncated without the initial logfile being truncated. [Eric Covener]
  • mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
    allow connections of any age to be reused. Up to now, a negative value
    was handled as an error when parsing the configuration file. PR 66421.
    [nailyk , Christophe Jaillet]
  • mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
    of headers. [Ruediger Pluem]
  • mod_md:
    – Enabling ED25519 support and certificate transparency information when
    building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
    – MDChallengeDns01 can now be configured for individual domains.
    Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
    РFixed a bug found by J̩r̫me Billiras (@bilhackmac) that caused the challenge
    teardown not being invoked as it should.
    [Stefan Eissing]
  • mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
    reported in access logs and error documents. The processing of the
    reset was correct, only unneccesary reporting was caused.
    [Stefan Eissing]
  • mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
    [Yann Ylavic]


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert