diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-08-05 10:00:10 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-08-05 10:00:10 +0000 |
| commit | 3204e211a1e248154ff95b90b6a7e29cfa92069c (patch) | |
| tree | 79f901498145b63bf34e9981a013f3d9b52eafc2 /CHANGES | |
| parent | Adding upstream version 2.4.61. (diff) | |
| download | apache2-upstream.tar.xz apache2-upstream.zip | |
Adding upstream version 2.4.62.upstream/2.4.62upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
| -rw-r--r-- | CHANGES | 34 |
1 files changed, 33 insertions, 1 deletions
@@ -1,6 +1,38 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.62 + + *) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for + "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets + with BalancerMember(s). PR 69168. [Yann Ylavic] + + *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs. + PR 69160 [Yann Ylavic] + + *) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2. + [Joe Orton] + + *) mod_ssl: Add support for loading certs/keys from pkcs11: URIs + via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>] + + *) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0. + [Ruediger Pluem, Yann Ylavic] + + *) mpm_worker: Fix possible warning (AH00045) about children processes not + terminating timely. [Yann Ylavic] + Changes with Apache 2.4.61 + *) SECURITY: CVE-2024-39884: Apache HTTP Server: source code + disclosure with handlers configured via AddType (cve.mitre.org) + A regression in the core of Apache HTTP Server 2.4.60 ignores + some use of the legacy content-type based configuration of + handlers. "AddType" and similar configuration, under some + circumstances where files are requested indirectly, result in + source code disclosure of local content. For example, PHP + scripts may be served instead of interpreted. + Users are recommended to upgrade to version 2.4.61, which fixes + this issue. + Changes with Apache 2.4.60 *) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy @@ -67,7 +99,7 @@ Changes with Apache 2.4.60 crafted requests. Credits: Orange Tsai (@orange_8361) from DEVCORE - *) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF + *) SECURITY: CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF (cve.mitre.org) SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious |