Page MenuHomeFreeBSD
Differential D34549

Update apache24 to 2.4.53
AbandonedPublic
Actions

Authored by cy on Mar 14 2022, 3:17 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 21 2024, 4:24 AM
Unknown Object (File)
Feb 18 2024, 8:15 AM
Unknown Object (File)
Feb 7 2024, 7:46 AM
Unknown Object (File)
Dec 20 2023, 5:09 AM
Unknown Object (File)
Sep 14 2023, 7:30 AM
Unknown Object (File)
Sep 1 2023, 7:56 PM
Unknown Object (File)
Jun 28 2023, 9:41 PM
Unknown Object (File)
Jun 26 2023, 1:15 PM
View All 13 Files
Subscribers
joneum

Details

Reviewers
se
brnrd
Group Reviewers
portmgr
ports secteam
Summary
             Apache HTTP Server 2.4.53 Released

March 14, 2022

The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.53 of the Apache
HTTP Server ("Apache").  This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
a security, feature and bug fix release.

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.4.53 is available for download from:

  https://httpd.apache.org/download.cgi

Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase.  For an overview of new features
introduced since 2.4 please see:

  https://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.53 includes only
those changes introduced since the prior 2.4 release.  A summary of all 
of the security vulnerabilities addressed in this and earlier releases 
is available:

  https://httpd.apache.org/security/vulnerabilities_24.html

This release requires the Apache Portable Runtime (APR), minimum
version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
require the 1.6.x version of both APR and APR-Util. The APR libraries
must be upgraded for all features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API.  Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.

  https://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.

Please note the 2.2.x branch has now passed the end of life at the Apache
HTTP Server project and no further activity will occur including security
patches.  Users must promptly complete their transitions to this 2.4.x
release of httpd to benefit from further bug fixes or new features.
Test Plan

Built and tested here.

Diff Detail

Repository
R11 FreeBSD ports repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

cy requested review of this revision.Mar 14 2022, 3:17 PM
cy created this revision.
cy added reviewers: portmgr, ports secteam.Mar 14 2022, 7:05 PM
joneum added a subscriber: joneum.Mar 14 2022, 7:09 PM

@brnrd told me over the weekend that he is already working on the update.
What is the current status Bernard? :)

cy added a comment.Mar 14 2022, 7:09 PM

Subject: CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond
bounds
From: Stefan Eissing <icing@apache.org>
Date: Mon, 14 Mar 2022 10:06:24 +0000 (03:06 PDT)
To: announce@apache.org, dev@httpd.apache.org

(text/plain)
(Unknown charset: <utf-8>)

Severity: important

Description:

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.

This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

Credit:

Ronald Crane (Zippenhop LLC)

cy added a comment.Mar 14 2022, 7:09 PM

Subject: CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized
value of in r:parsebody
From: Stefan Eissing <icing@apache.org>
Date: Mon, 14 Mar 2022 10:09:26 +0000 (03:09 PDT)
To: announce@apache.org, dev@httpd.apache.org

(text/plain)
(Unknown charset: <utf-8>)

Severity: moderate

Description:

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.

This issue affects Apache HTTP Server 2.4.52 and earlier.

Credit:

Chamal De Silva

cy added a comment.Mar 14 2022, 7:10 PM

Subject: CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow
with very large or unlimited LimitXMLRequestBody
From: Stefan Eissing <icing@apache.org>
Date: Mon, 14 Mar 2022 10:07:40 +0000 (03:07 PDT)
To: announce@apache.org, dev@httpd.apache.org

(text/plain)
(Unknown charset: <utf-8>)

Severity: low

Description:

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.

This issue affects Apache HTTP Server 2.4.52 and earlier.

Credit:

Anonymous working with Trend Micro Zero Day Initiative

cy added a comment.Mar 15 2022, 2:25 PM

Proposed commit log message:

Update www/apache24 to 2.4.53, fixing four CVEs

PR: 262557
Submitted by: cy
Reported by: cy
Reviewed by: PUT SOMETHING HERE
MFH: 2022Q1
Security: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721,

CVE-2022-23943

Differential Revision: https://reviews.freebsd.org/D34549

cy abandoned this revision.Mar 16 2022, 12:34 AM

Revision Contents
Changeset List

PathSize
www/
apache24/
2 lines
6 lines

Diff 103827

View Options

www/apache24/Makefile

Loading...
View Options

www/apache24/distinfo

Loading...