Date: Mon, 13 Mar 2023 17:30:26 +0000 From: bugzilla-noreply@freebsd.org To: apache@FreeBSD.org Subject: [Bug 270037] www/apache24: Security Update to 2.4.56 Message-ID: <bug-270037-16115-Uht8OxuFWm@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-270037-16115@https.bugs.freebsd.org/bugzilla/> References: <bug-270037-16115@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D270037 --- Comment #4 from commit-hook@FreeBSD.org --- A commit in branch 2023Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3D97fb270dfd31ed025eb29b244ba662c= f1d371e4c commit 97fb270dfd31ed025eb29b244ba662cf1d371e4c Author: Vincent Jancso <vincent.jancso@outlook.com> AuthorDate: 2023-03-12 16:37:16 +0000 Commit: Jochen Neumeister <joneum@FreeBSD.org> CommitDate: 2023-03-13 17:29:41 +0000 www/apache24: Update to 2.4.56 Changes with Apache 2.4.56 *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (cve.mitre.org) HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Credits: Dimas Fariski Setyawan Putra (nyxsorcerer) *) SECURITY: CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy (cve.mitre.org) Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" " http://example.com:8080/elsewhere?$1" http://example.com:8080/elsewhere ; [P] ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Credits: Lars Krapf of Adobe *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be truncated without the initial logfile being truncated. [Eric Cove= ner] *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in o= rder to allow connections of any age to be reused. Up to now, a negative v= alue was handled as an error when parsing the configuration file. PR 66421. [nailyk <bzapache nailyk.fr>, Christophe Jaillet] *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number of headers. [Ruediger Pluem] *) mod_md: - Enabling ED25519 support and certificate transparency information when building with libressl v3.5.0 and newer. Thanks to Giovanni Bech= is. - MDChallengeDns01 can now be configured for individual domains. Thanks to J=C3=83=C2=A9r=C3=83=C2=B4me Billiras (@bilhackmac) fo= r the initial PR. - Fixed a bug found by J=C3=83=C2=A9r=C3=83=C2=B4me Billiras (@bil= hackmac) that caused the challenge teardown not being invoked as it should. [Stefan Eissing] *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 err= ors reported in access logs and error documents. The processing of the reset was correct, only unneccesary reporting was caused. [Stefan Eissing] *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation. [Yann Ylavic] PR: 270037 Reported by: Fabian Wenk <fabian@wenks.ch> Sponsored by: Netzkommune GmbH (cherry picked from commit 8ec7b3510f11d22eedea008ad340daf96057207f) www/apache24/Makefile | 2 +- www/apache24/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-270037-16115-Uht8OxuFWm>