HomeFreeBSD

www/apache24: Update to 2.4.56

Description

www/apache24: Update to 2.4.56

Changes with Apache 2.4.56

*) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
   HTTP response splitting (cve.mitre.org)
   HTTP Response Smuggling vulnerability in Apache HTTP Server via
   mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
   2.4.30 through 2.4.55.
   Special characters in the origin response header can
   truncate/split the response forwarded to the client.
   Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

*) SECURITY: CVE-2023-25690: HTTP request splitting with
   mod_rewrite and mod_proxy (cve.mitre.org)
   Some mod_proxy configurations on Apache HTTP Server versions
   2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
   Configurations are affected when mod_proxy is enabled along with
   some form of RewriteRule
   or ProxyPassMatch in which a non-specific pattern matches
   some portion of the user-supplied request-target (URL) data and
   is then
   re-inserted into the proxied request-target using variable
   substitution. For example, something like:
   RewriteEngine on
   RewriteRule "^/here/(.*)" "
   http://example.com:8080/elsewhere?$1"
   http://example.com:8080/elsewhere ; [P]
   ProxyPassReverse /here/  http://example.com:8080/
   http://example.com:8080/
   Request splitting/smuggling could result in bypass of access
   controls in the proxy server, proxying unintended URLs to
   existing origin servers, and cache poisoning.
   Credits: Lars Krapf of Adobe

*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
   truncated without the initial logfile being truncated.  [Eric Covener]

*) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
   allow connections of any age to be reused. Up to now, a negative value
   was handled as an error when parsing the configuration file.  PR 66421.
   [nailyk <bzapache nailyk.fr>, Christophe Jaillet]

*) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
   of headers. [Ruediger Pluem]

*) mod_md:
   - Enabling ED25519 support and certificate transparency information when
     building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
   - MDChallengeDns01 can now be configured for individual domains.
     Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
   - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
     teardown not being invoked as it should.
   [Stefan Eissing]

*) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
   reported in access logs and error documents. The processing of the
   reset was correct, only unneccesary reporting was caused.
   [Stefan Eissing]

*) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
   [Yann Ylavic]

PR: 270037
Reported by: Fabian Wenk <fabian@wenks.ch>
Sponsored by: Netzkommune GmbH

Details

Provenance
Vincent Jancso <vincent.jancso@outlook.com>Authored on Mar 12 2023, 4:37 PM
joneumCommitted on Mar 12 2023, 4:39 PM
Parents
R11:d1238508aa94: x11-wm/hs-xmonad: Update to 0.17.1
Branches
Unknown
Tags
Unknown