summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-05 09:59:47 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-05 09:59:47 +0000
commitdb3acad040f4369109cb222a370f839d2ce9d42a (patch)
tree280747280299f9f85e876e7958bfa9041da653ab
parentAdding debian version 2.4.60-1. (diff)
downloadapache2-db3acad040f4369109cb222a370f839d2ce9d42a.tar.xz
apache2-db3acad040f4369109cb222a370f839d2ce9d42a.zip
Merging upstream version 2.4.61.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--CHANGES85
-rw-r--r--docs/manual/misc/security_tips.html.en6
-rw-r--r--docs/manual/misc/security_tips.html.fr.utf82
-rw-r--r--docs/manual/misc/security_tips.html.tr.utf81
-rw-r--r--docs/manual/style/version.ent2
-rw-r--r--httpd.spec2
-rw-r--r--include/ap_release.h2
-rw-r--r--modules/cluster/mod_heartmonitor.c2
-rw-r--r--modules/dav/main/mod_dav.c10
-rw-r--r--modules/examples/mod_example_hooks.c2
-rw-r--r--modules/filters/mod_data.c2
-rw-r--r--modules/filters/mod_include.c2
-rw-r--r--modules/filters/mod_proxy_html.c4
-rw-r--r--modules/generators/mod_cgi.c2
-rw-r--r--modules/generators/mod_cgid.c2
-rw-r--r--modules/generators/mod_info.c2
-rw-r--r--modules/generators/mod_status.c4
-rw-r--r--modules/http/http_filters.c2
-rw-r--r--modules/http/http_protocol.c4
-rw-r--r--modules/http/http_request.c2
-rw-r--r--modules/ldap/util_ldap.c2
-rw-r--r--modules/mappers/mod_imagemap.c2
-rw-r--r--modules/proxy/mod_proxy_balancer.c2
23 files changed, 115 insertions, 31 deletions
diff --git a/CHANGES b/CHANGES
index a1cf74d..eea1e55 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,91 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.61
+
Changes with Apache 2.4.60
+ *) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
+ handler substitution (cve.mitre.org)
+ Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and
+ earlier allows an attacker to cause unsafe RewriteRules to
+ unexpectedly setup URL's to be handled by mod_proxy.
+ Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+ *) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
+ Denial of Service in mod_proxy via a malicious request
+ (cve.mitre.org)
+ null pointer dereference in mod_proxy in Apache HTTP Server
+ 2.4.59 and earlier allows an attacker to crash the server via a
+ malicious request.
+ Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+ *) SECURITY: CVE-2024-38476: Apache HTTP Server may use
+ exploitable/malicious backend application output to run local
+ handlers via internal redirect (cve.mitre.org)
+ Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
+ are vulnerably to information disclosure, SSRF or local script
+ execution via backend applications whose response headers are
+ malicious or exploitable.
+
+ Note: Some legacy uses of the 'AddType' directive to connect a
+ request to a handler must be ported to 'AddHandler' after this fix.
+
+ Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+ *) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
+ mod_rewrite when first segment of substitution matches
+ filesystem path. (cve.mitre.org)
+ Improper escaping of output in mod_rewrite in Apache HTTP Server
+ 2.4.59 and earlier allows an attacker to map URLs to filesystem
+ locations that are permitted to be served by the server but are
+ not intentionally/directly reachable by any URL, resulting in
+ code execution or source code disclosure.
+ Substitutions in server context that use a backreferences or
+ variables as the first segment of the substitution are affected.
+ Some unsafe RewiteRules will be broken by this change and the
+ rewrite flag "UnsafePrefixStat" can be used to opt back in once
+ ensuring the substitution is appropriately constrained.
+ Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+ *) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with
+ encoded question marks in backreferences (cve.mitre.org)
+ Substitution encoding issue in mod_rewrite in Apache HTTP Server
+ 2.4.59 and earlier allows attacker to execute scripts in
+ directories permitted by the configuration but not directly
+ reachable by any URL or source disclosure of scripts meant to
+ only to be executed as CGI.
+
+ Note: Some RewriteRules that capture and substitute unsafely will now
+ fail unless rewrite flag "UnsafeAllow3F" is specified.
+
+ Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+ *) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
+ problem (cve.mitre.org)
+ Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and
+ earlier allows request URLs with incorrect encoding to be sent
+ to backend services, potentially bypassing authentication via
+ crafted requests.
+ Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+ *) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF
+ (cve.mitre.org)
+ SSRF in Apache HTTP Server on Windows allows to potentially leak
+ NTML hashes to a malicious server via SSRF and malicious
+ requests or content
+
+ Note: Existing configurations that access UNC paths
+ will have to configure new directive "UNCList" to allow access
+ during request processing.
+
+ Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+ *) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
+ pointer in websocket over HTTP/2 (cve.mitre.org)
+ Serving WebSocket protocol upgrades over a HTTP/2 connection
+ could result in a Null Pointer dereference, leading to a crash
+ of the server process, degrading performance.
+ Credits: Marc Stern (<marc.stern AT approach-cyber.com>)
+
*) mod_proxy: Fix DNS requests and connections closed before the
configured addressTTL. BZ 69126. [Yann Ylavic]
diff --git a/docs/manual/misc/security_tips.html.en b/docs/manual/misc/security_tips.html.en
index 1143025..71f833e 100644
--- a/docs/manual/misc/security_tips.html.en
+++ b/docs/manual/misc/security_tips.html.en
@@ -135,11 +135,7 @@
mitigating DoS attacks. Further, the
<code class="module"><a href="../mod/event.html">event</a></code> mpm
uses asynchronous processing to avoid devoting a thread to each
- connection. Due to the nature of the OpenSSL library the
- <code class="module"><a href="../mod/event.html">event</a></code> mpm is currently incompatible with
- <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> and other input filters. In these
- cases it falls back to the behaviour of the
- <code class="module"><a href="../mod/worker.html">worker</a></code> mpm.</li>
+ connection. </li>
<li>There are a number of third-party modules available
that can restrict certain client behaviors and thereby mitigate
diff --git a/docs/manual/misc/security_tips.html.fr.utf8 b/docs/manual/misc/security_tips.html.fr.utf8
index 043d00a..741a0e7 100644
--- a/docs/manual/misc/security_tips.html.fr.utf8
+++ b/docs/manual/misc/security_tips.html.fr.utf8
@@ -28,6 +28,8 @@
<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe">&nbsp;tr&nbsp;</a></p>
</div>
+<div class="outofdate">Cette traduction peut être périmée. Vérifiez la version
+ anglaise pour les changements récents.</div>
<p>Ce document propose quelques conseils et astuces concernant les
problèmes de sécurité liés
diff --git a/docs/manual/misc/security_tips.html.tr.utf8 b/docs/manual/misc/security_tips.html.tr.utf8
index d2f75cf..0fbc51f 100644
--- a/docs/manual/misc/security_tips.html.tr.utf8
+++ b/docs/manual/misc/security_tips.html.tr.utf8
@@ -28,6 +28,7 @@
<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
<a href="../tr/misc/security_tips.html" title="Türkçe">&nbsp;tr&nbsp;</a></p>
</div>
+<div class="outofdate">Bu çeviri güncel olmayabilir. Son değişiklikler için İngilizce sürüm geçerlidir.</div>
<p>Bir HTTP Sunucusunu ayarlarken dikkat edilmesi gerekenler ve bazı
ipuçları. Öneriler kısmen Apache’ye özel kısmen de genel olacaktır.</p>
diff --git a/docs/manual/style/version.ent b/docs/manual/style/version.ent
index 45ce7c1..9e62acc 100644
--- a/docs/manual/style/version.ent
+++ b/docs/manual/style/version.ent
@@ -19,6 +19,6 @@
<!ENTITY httpd.major "2">
<!ENTITY httpd.minor "4">
-<!ENTITY httpd.patch "60">
+<!ENTITY httpd.patch "61">
<!ENTITY httpd.docs "2.4">
diff --git a/httpd.spec b/httpd.spec
index 1b4a573..9719769 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -4,7 +4,7 @@
Summary: Apache HTTP Server
Name: httpd
-Version: 2.4.60
+Version: 2.4.61
Release: 1
URL: http://httpd.apache.org/
Vendor: Apache Software Foundation
diff --git a/include/ap_release.h b/include/ap_release.h
index 635bdfd..3be7bae 100644
--- a/include/ap_release.h
+++ b/include/ap_release.h
@@ -43,7 +43,7 @@
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 4
-#define AP_SERVER_PATCHLEVEL_NUMBER 60
+#define AP_SERVER_PATCHLEVEL_NUMBER 61
#define AP_SERVER_DEVBUILD_BOOLEAN 0
/* Synchronize the above with docs/manual/style/version.ent */
diff --git a/modules/cluster/mod_heartmonitor.c b/modules/cluster/mod_heartmonitor.c
index 53b6504..68db585 100644
--- a/modules/cluster/mod_heartmonitor.c
+++ b/modules/cluster/mod_heartmonitor.c
@@ -782,7 +782,7 @@ static int hm_handler(request_rec *r)
hmserver.seen = apr_time_now();
hm_update_stat(ctx, &hmserver, r->pool);
- ap_set_content_type(r, "text/plain");
+ ap_set_content_type_ex(r, "text/plain", 1);
ap_set_content_length(r, 2);
ap_rputs("OK", r);
ap_rflush(r);
diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c
index dea3f18..7a3eed7 100644
--- a/modules/dav/main/mod_dav.c
+++ b/modules/dav/main/mod_dav.c
@@ -355,7 +355,7 @@ static int dav_error_response(request_rec *r, int status, const char *body)
r->status = status;
r->status_line = ap_get_status_line(status);
- ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1);
/* begin the response now... */
ap_rvputs(r,
@@ -386,7 +386,7 @@ static int dav_error_response_tag(request_rec *r,
{
r->status = err->status;
- ap_set_content_type(r, DAV_XML_CONTENT_TYPE);
+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1);
ap_rputs(DAV_XML_HEADER DEBUG_CR
"<D:error xmlns:D=\"DAV:\"", r);
@@ -544,7 +544,7 @@ DAV_DECLARE(void) dav_begin_multistatus(apr_bucket_brigade *bb,
{
/* Set the correct status and Content-Type */
r->status = status;
- ap_set_content_type(r, DAV_XML_CONTENT_TYPE);
+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1);
/* Send the headers and actual multistatus response now... */
ap_fputs(r->output_filters, bb, DAV_XML_HEADER DEBUG_CR
@@ -2016,7 +2016,7 @@ static int dav_method_options(request_rec *r)
/* send the options response */
r->status = HTTP_OK;
- ap_set_content_type(r, DAV_XML_CONTENT_TYPE);
+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1);
/* send the headers and response body */
ap_rputs(DAV_XML_HEADER DEBUG_CR
@@ -3328,7 +3328,7 @@ static int dav_method_lock(request_rec *r)
(*locks_hooks->close_lockdb)(lockdb);
r->status = HTTP_OK;
- ap_set_content_type(r, DAV_XML_CONTENT_TYPE);
+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1);
ap_rputs(DAV_XML_HEADER DEBUG_CR "<D:prop xmlns:D=\"DAV:\">" DEBUG_CR, r);
if (lock == NULL)
diff --git a/modules/examples/mod_example_hooks.c b/modules/examples/mod_example_hooks.c
index f7ef5a5..d937906 100644
--- a/modules/examples/mod_example_hooks.c
+++ b/modules/examples/mod_example_hooks.c
@@ -993,7 +993,7 @@ static int x_handler(request_rec *r)
* Set the Content-type header. Note that we do not actually have to send
* the headers: this is done by the http core.
*/
- ap_set_content_type(r, "text/html");
+ ap_set_content_type_ex(r, "text/html", 1);
/*
* If we're only supposed to send header information (HEAD request), we're
* already there.
diff --git a/modules/filters/mod_data.c b/modules/filters/mod_data.c
index ddadd1b..4e6e636 100644
--- a/modules/filters/mod_data.c
+++ b/modules/filters/mod_data.c
@@ -117,7 +117,7 @@ static apr_status_t data_out_filter(ap_filter_t *f, apr_bucket_brigade *bb)
}
}
- ap_set_content_type(r, "text/plain");
+ ap_set_content_type_ex(r, "text/plain", 1);
}
diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index 584d8fb..2c0cc67 100644
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -3972,7 +3972,7 @@ static int include_fixup(request_rec *r)
if (r->handler && (strcmp(r->handler, "server-parsed") == 0))
{
if (!r->content_type || !*r->content_type) {
- ap_set_content_type(r, "text/html");
+ ap_set_content_type_ex(r, "text/html", 1);
}
r->handler = "default-handler";
}
diff --git a/modules/filters/mod_proxy_html.c b/modules/filters/mod_proxy_html.c
index 7783da1..4205a61 100644
--- a/modules/filters/mod_proxy_html.c
+++ b/modules/filters/mod_proxy_html.c
@@ -952,7 +952,7 @@ static apr_status_t proxy_html_filter(ap_filter_t *f, apr_bucket_brigade *bb)
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, f->r, APLOGNO(01422)
"No i18n support found. Install mod_xml2enc if required");
enc = XML_CHAR_ENCODING_NONE;
- ap_set_content_type(f->r, "text/html;charset=utf-8");
+ ap_set_content_type_ex(f->r, "text/html;charset=utf-8", 1);
}
else {
/* if we wanted a non-default charset_out, insert the
@@ -968,7 +968,7 @@ static apr_status_t proxy_html_filter(ap_filter_t *f, apr_bucket_brigade *bb)
cenc, NULL));
}
else /* Normal case, everything worked, utf-8 output */
- ap_set_content_type(f->r, "text/html;charset=utf-8");
+ ap_set_content_type_ex(f->r, "text/html;charset=utf-8", 1);
}
ap_fputs(f->next, ctxt->bb, ctxt->cfg->doctype);
diff --git a/modules/generators/mod_cgi.c b/modules/generators/mod_cgi.c
index 3799b06..61d888d 100644
--- a/modules/generators/mod_cgi.c
+++ b/modules/generators/mod_cgi.c
@@ -671,7 +671,7 @@ static apr_status_t include_cgi(include_ctx_t *ctx, ap_filter_t *f,
/* Force sub_req to be treated as a CGI request, even if ordinary
* typing rules would have called it something else.
*/
- ap_set_content_type(rr, CGI_MAGIC_TYPE);
+ ap_set_content_type_ex(rr, CGI_MAGIC_TYPE, 1);
/* Run it. */
rr_status = ap_run_sub_req(rr);
diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c
index 1d55b8d..f21eb12 100644
--- a/modules/generators/mod_cgid.c
+++ b/modules/generators/mod_cgid.c
@@ -1666,7 +1666,7 @@ static apr_status_t include_cgi(include_ctx_t *ctx, ap_filter_t *f,
/* Force sub_req to be treated as a CGI request, even if ordinary
* typing rules would have called it something else.
*/
- ap_set_content_type(rr, CGI_MAGIC_TYPE);
+ ap_set_content_type_ex(rr, CGI_MAGIC_TYPE, 1);
/* Run it. */
rr_status = ap_run_sub_req(rr);
diff --git a/modules/generators/mod_info.c b/modules/generators/mod_info.c
index 1662242..a94e4e4 100644
--- a/modules/generators/mod_info.c
+++ b/modules/generators/mod_info.c
@@ -784,7 +784,7 @@ static int display_info(request_rec * r)
return DECLINED;
}
- ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1);
ap_rputs(DOCTYPE_XHTML_1_0T
"<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"
diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c
index 5bada07..2cb38c7 100644
--- a/modules/generators/mod_status.c
+++ b/modules/generators/mod_status.c
@@ -273,7 +273,7 @@ static int status_handler(request_rec *r)
if (r->method_number != M_GET)
return DECLINED;
- ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1);
/*
* Simple table-driven form data set parser that lets you alter the header
@@ -301,7 +301,7 @@ static int status_handler(request_rec *r)
no_table_report = 1;
break;
case STAT_OPT_AUTO:
- ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/plain; charset=ISO-8859-1", 1);
short_report = 1;
break;
}
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index f20aee7..60b44d7 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -1261,7 +1261,7 @@ AP_DECLARE_NONSTD(int) ap_send_http_trace(request_rec *r)
}
}
- ap_set_content_type(r, "message/http");
+ ap_set_content_type_ex(r, "message/http", 1);
/* Now we recreate the request, and echo it back */
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index c31e873..3bc666e 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -1443,10 +1443,10 @@ AP_DECLARE(void) ap_send_error_response(request_rec *r, int recursive_error)
request_conf->suppress_charset = 1; /* avoid adding default
* charset later
*/
- ap_set_content_type(r, "text/html");
+ ap_set_content_type_ex(r, "text/html", 1);
}
else {
- ap_set_content_type(r, "text/html; charset=iso-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=iso-8859-1", 1);
}
if ((status == HTTP_METHOD_NOT_ALLOWED)
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
index d59cfe2..71ecc2b 100644
--- a/modules/http/http_request.c
+++ b/modules/http/http_request.c
@@ -708,7 +708,7 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r)
r->args = rr->args;
r->finfo = rr->finfo;
r->handler = rr->handler;
- ap_set_content_type(r, rr->content_type);
+ ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(r));
r->content_encoding = rr->content_encoding;
r->content_languages = rr->content_languages;
r->per_dir_config = rr->per_dir_config;
diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index aa0bad1..8c9e587 100644
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -171,7 +171,7 @@ static int util_ldap_handler(request_rec *r)
st = (util_ldap_state_t *) ap_get_module_config(r->server->module_config,
&ldap_module);
- ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1);
if (r->header_only)
return OK;
diff --git a/modules/mappers/mod_imagemap.c b/modules/mappers/mod_imagemap.c
index 206c0b6..b2dca7e 100644
--- a/modules/mappers/mod_imagemap.c
+++ b/modules/mappers/mod_imagemap.c
@@ -475,7 +475,7 @@ static int imap_reply(request_rec *r, const char *redirect)
static void menu_header(request_rec *r, char *menu)
{
- ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1);
ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ",
ap_escape_html(r->pool, r->uri),
diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index b8b452d..3c0f5a8 100644
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -1471,7 +1471,7 @@ static void balancer_display_page(request_rec *r, proxy_server_conf *conf,
if (usexml) {
char date[APR_RFC822_DATE_LEN];
- ap_set_content_type(r, "text/xml");
+ ap_set_content_type_ex(r, "text/xml", 1);
ap_rputs("<?xml version='1.0' encoding='UTF-8' ?>\n", r);
ap_rputs("<httpd:manager xmlns:httpd='http://httpd.apache.org'>\n", r);
ap_rputs(" <httpd:balancers>\n", r);