diff options
-rw-r--r-- | CHANGES | 85 | ||||
-rw-r--r-- | docs/manual/misc/security_tips.html.en | 6 | ||||
-rw-r--r-- | docs/manual/misc/security_tips.html.fr.utf8 | 2 | ||||
-rw-r--r-- | docs/manual/misc/security_tips.html.tr.utf8 | 1 | ||||
-rw-r--r-- | docs/manual/style/version.ent | 2 | ||||
-rw-r--r-- | httpd.spec | 2 | ||||
-rw-r--r-- | include/ap_release.h | 2 | ||||
-rw-r--r-- | modules/cluster/mod_heartmonitor.c | 2 | ||||
-rw-r--r-- | modules/dav/main/mod_dav.c | 10 | ||||
-rw-r--r-- | modules/examples/mod_example_hooks.c | 2 | ||||
-rw-r--r-- | modules/filters/mod_data.c | 2 | ||||
-rw-r--r-- | modules/filters/mod_include.c | 2 | ||||
-rw-r--r-- | modules/filters/mod_proxy_html.c | 4 | ||||
-rw-r--r-- | modules/generators/mod_cgi.c | 2 | ||||
-rw-r--r-- | modules/generators/mod_cgid.c | 2 | ||||
-rw-r--r-- | modules/generators/mod_info.c | 2 | ||||
-rw-r--r-- | modules/generators/mod_status.c | 4 | ||||
-rw-r--r-- | modules/http/http_filters.c | 2 | ||||
-rw-r--r-- | modules/http/http_protocol.c | 4 | ||||
-rw-r--r-- | modules/http/http_request.c | 2 | ||||
-rw-r--r-- | modules/ldap/util_ldap.c | 2 | ||||
-rw-r--r-- | modules/mappers/mod_imagemap.c | 2 | ||||
-rw-r--r-- | modules/proxy/mod_proxy_balancer.c | 2 |
23 files changed, 115 insertions, 31 deletions
@@ -1,6 +1,91 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.61 + Changes with Apache 2.4.60 + *) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy + handler substitution (cve.mitre.org) + Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and + earlier allows an attacker to cause unsafe RewriteRules to + unexpectedly setup URL's to be handled by mod_proxy. + Credits: Orange Tsai (@orange_8361) from DEVCORE + + *) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in + Denial of Service in mod_proxy via a malicious request + (cve.mitre.org) + null pointer dereference in mod_proxy in Apache HTTP Server + 2.4.59 and earlier allows an attacker to crash the server via a + malicious request. + Credits: Orange Tsai (@orange_8361) from DEVCORE + + *) SECURITY: CVE-2024-38476: Apache HTTP Server may use + exploitable/malicious backend application output to run local + handlers via internal redirect (cve.mitre.org) + Vulnerability in core of Apache HTTP Server 2.4.59 and earlier + are vulnerably to information disclosure, SSRF or local script + execution via backend applications whose response headers are + malicious or exploitable. + + Note: Some legacy uses of the 'AddType' directive to connect a + request to a handler must be ported to 'AddHandler' after this fix. + + Credits: Orange Tsai (@orange_8361) from DEVCORE + + *) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in + mod_rewrite when first segment of substitution matches + filesystem path. (cve.mitre.org) + Improper escaping of output in mod_rewrite in Apache HTTP Server + 2.4.59 and earlier allows an attacker to map URLs to filesystem + locations that are permitted to be served by the server but are + not intentionally/directly reachable by any URL, resulting in + code execution or source code disclosure. + Substitutions in server context that use a backreferences or + variables as the first segment of the substitution are affected. + Some unsafe RewiteRules will be broken by this change and the + rewrite flag "UnsafePrefixStat" can be used to opt back in once + ensuring the substitution is appropriately constrained. + Credits: Orange Tsai (@orange_8361) from DEVCORE + + *) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with + encoded question marks in backreferences (cve.mitre.org) + Substitution encoding issue in mod_rewrite in Apache HTTP Server + 2.4.59 and earlier allows attacker to execute scripts in + directories permitted by the configuration but not directly + reachable by any URL or source disclosure of scripts meant to + only to be executed as CGI. + + Note: Some RewriteRules that capture and substitute unsafely will now + fail unless rewrite flag "UnsafeAllow3F" is specified. + + Credits: Orange Tsai (@orange_8361) from DEVCORE + + *) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding + problem (cve.mitre.org) + Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and + earlier allows request URLs with incorrect encoding to be sent + to backend services, potentially bypassing authentication via + crafted requests. + Credits: Orange Tsai (@orange_8361) from DEVCORE + + *) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF + (cve.mitre.org) + SSRF in Apache HTTP Server on Windows allows to potentially leak + NTML hashes to a malicious server via SSRF and malicious + requests or content + + Note: Existing configurations that access UNC paths + will have to configure new directive "UNCList" to allow access + during request processing. + + Credits: Orange Tsai (@orange_8361) from DEVCORE + + *) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null + pointer in websocket over HTTP/2 (cve.mitre.org) + Serving WebSocket protocol upgrades over a HTTP/2 connection + could result in a Null Pointer dereference, leading to a crash + of the server process, degrading performance. + Credits: Marc Stern (<marc.stern AT approach-cyber.com>) + *) mod_proxy: Fix DNS requests and connections closed before the configured addressTTL. BZ 69126. [Yann Ylavic] diff --git a/docs/manual/misc/security_tips.html.en b/docs/manual/misc/security_tips.html.en index 1143025..71f833e 100644 --- a/docs/manual/misc/security_tips.html.en +++ b/docs/manual/misc/security_tips.html.en @@ -135,11 +135,7 @@ mitigating DoS attacks. Further, the <code class="module"><a href="../mod/event.html">event</a></code> mpm uses asynchronous processing to avoid devoting a thread to each - connection. Due to the nature of the OpenSSL library the - <code class="module"><a href="../mod/event.html">event</a></code> mpm is currently incompatible with - <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> and other input filters. In these - cases it falls back to the behaviour of the - <code class="module"><a href="../mod/worker.html">worker</a></code> mpm.</li> + connection. </li> <li>There are a number of third-party modules available that can restrict certain client behaviors and thereby mitigate diff --git a/docs/manual/misc/security_tips.html.fr.utf8 b/docs/manual/misc/security_tips.html.fr.utf8 index 043d00a..741a0e7 100644 --- a/docs/manual/misc/security_tips.html.fr.utf8 +++ b/docs/manual/misc/security_tips.html.fr.utf8 @@ -28,6 +28,8 @@ <a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | <a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> </div> +<div class="outofdate">Cette traduction peut être périmée. Vérifiez la version + anglaise pour les changements récents.</div> <p>Ce document propose quelques conseils et astuces concernant les problèmes de sécurité liés diff --git a/docs/manual/misc/security_tips.html.tr.utf8 b/docs/manual/misc/security_tips.html.tr.utf8 index d2f75cf..0fbc51f 100644 --- a/docs/manual/misc/security_tips.html.tr.utf8 +++ b/docs/manual/misc/security_tips.html.tr.utf8 @@ -28,6 +28,7 @@ <a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | <a href="../tr/misc/security_tips.html" title="Türkçe"> tr </a></p> </div> +<div class="outofdate">Bu çeviri güncel olmayabilir. Son değişiklikler için İngilizce sürüm geçerlidir.</div> <p>Bir HTTP Sunucusunu ayarlarken dikkat edilmesi gerekenler ve bazı ipuçları. Öneriler kısmen Apache’ye özel kısmen de genel olacaktır.</p> diff --git a/docs/manual/style/version.ent b/docs/manual/style/version.ent index 45ce7c1..9e62acc 100644 --- a/docs/manual/style/version.ent +++ b/docs/manual/style/version.ent @@ -19,6 +19,6 @@ <!ENTITY httpd.major "2"> <!ENTITY httpd.minor "4"> -<!ENTITY httpd.patch "60"> +<!ENTITY httpd.patch "61"> <!ENTITY httpd.docs "2.4"> @@ -4,7 +4,7 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.60 +Version: 2.4.61 Release: 1 URL: http://httpd.apache.org/ Vendor: Apache Software Foundation diff --git a/include/ap_release.h b/include/ap_release.h index 635bdfd..3be7bae 100644 --- a/include/ap_release.h +++ b/include/ap_release.h @@ -43,7 +43,7 @@ #define AP_SERVER_MAJORVERSION_NUMBER 2 #define AP_SERVER_MINORVERSION_NUMBER 4 -#define AP_SERVER_PATCHLEVEL_NUMBER 60 +#define AP_SERVER_PATCHLEVEL_NUMBER 61 #define AP_SERVER_DEVBUILD_BOOLEAN 0 /* Synchronize the above with docs/manual/style/version.ent */ diff --git a/modules/cluster/mod_heartmonitor.c b/modules/cluster/mod_heartmonitor.c index 53b6504..68db585 100644 --- a/modules/cluster/mod_heartmonitor.c +++ b/modules/cluster/mod_heartmonitor.c @@ -782,7 +782,7 @@ static int hm_handler(request_rec *r) hmserver.seen = apr_time_now(); hm_update_stat(ctx, &hmserver, r->pool); - ap_set_content_type(r, "text/plain"); + ap_set_content_type_ex(r, "text/plain", 1); ap_set_content_length(r, 2); ap_rputs("OK", r); ap_rflush(r); diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c index dea3f18..7a3eed7 100644 --- a/modules/dav/main/mod_dav.c +++ b/modules/dav/main/mod_dav.c @@ -355,7 +355,7 @@ static int dav_error_response(request_rec *r, int status, const char *body) r->status = status; r->status_line = ap_get_status_line(status); - ap_set_content_type(r, "text/html; charset=ISO-8859-1"); + ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); /* begin the response now... */ ap_rvputs(r, @@ -386,7 +386,7 @@ static int dav_error_response_tag(request_rec *r, { r->status = err->status; - ap_set_content_type(r, DAV_XML_CONTENT_TYPE); + ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); ap_rputs(DAV_XML_HEADER DEBUG_CR "<D:error xmlns:D=\"DAV:\"", r); @@ -544,7 +544,7 @@ DAV_DECLARE(void) dav_begin_multistatus(apr_bucket_brigade *bb, { /* Set the correct status and Content-Type */ r->status = status; - ap_set_content_type(r, DAV_XML_CONTENT_TYPE); + ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); /* Send the headers and actual multistatus response now... */ ap_fputs(r->output_filters, bb, DAV_XML_HEADER DEBUG_CR @@ -2016,7 +2016,7 @@ static int dav_method_options(request_rec *r) /* send the options response */ r->status = HTTP_OK; - ap_set_content_type(r, DAV_XML_CONTENT_TYPE); + ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); /* send the headers and response body */ ap_rputs(DAV_XML_HEADER DEBUG_CR @@ -3328,7 +3328,7 @@ static int dav_method_lock(request_rec *r) (*locks_hooks->close_lockdb)(lockdb); r->status = HTTP_OK; - ap_set_content_type(r, DAV_XML_CONTENT_TYPE); + ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); ap_rputs(DAV_XML_HEADER DEBUG_CR "<D:prop xmlns:D=\"DAV:\">" DEBUG_CR, r); if (lock == NULL) diff --git a/modules/examples/mod_example_hooks.c b/modules/examples/mod_example_hooks.c index f7ef5a5..d937906 100644 --- a/modules/examples/mod_example_hooks.c +++ b/modules/examples/mod_example_hooks.c @@ -993,7 +993,7 @@ static int x_handler(request_rec *r) * Set the Content-type header. Note that we do not actually have to send * the headers: this is done by the http core. */ - ap_set_content_type(r, "text/html"); + ap_set_content_type_ex(r, "text/html", 1); /* * If we're only supposed to send header information (HEAD request), we're * already there. diff --git a/modules/filters/mod_data.c b/modules/filters/mod_data.c index ddadd1b..4e6e636 100644 --- a/modules/filters/mod_data.c +++ b/modules/filters/mod_data.c @@ -117,7 +117,7 @@ static apr_status_t data_out_filter(ap_filter_t *f, apr_bucket_brigade *bb) } } - ap_set_content_type(r, "text/plain"); + ap_set_content_type_ex(r, "text/plain", 1); } diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c index 584d8fb..2c0cc67 100644 --- a/modules/filters/mod_include.c +++ b/modules/filters/mod_include.c @@ -3972,7 +3972,7 @@ static int include_fixup(request_rec *r) if (r->handler && (strcmp(r->handler, "server-parsed") == 0)) { if (!r->content_type || !*r->content_type) { - ap_set_content_type(r, "text/html"); + ap_set_content_type_ex(r, "text/html", 1); } r->handler = "default-handler"; } diff --git a/modules/filters/mod_proxy_html.c b/modules/filters/mod_proxy_html.c index 7783da1..4205a61 100644 --- a/modules/filters/mod_proxy_html.c +++ b/modules/filters/mod_proxy_html.c @@ -952,7 +952,7 @@ static apr_status_t proxy_html_filter(ap_filter_t *f, apr_bucket_brigade *bb) ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, f->r, APLOGNO(01422) "No i18n support found. Install mod_xml2enc if required"); enc = XML_CHAR_ENCODING_NONE; - ap_set_content_type(f->r, "text/html;charset=utf-8"); + ap_set_content_type_ex(f->r, "text/html;charset=utf-8", 1); } else { /* if we wanted a non-default charset_out, insert the @@ -968,7 +968,7 @@ static apr_status_t proxy_html_filter(ap_filter_t *f, apr_bucket_brigade *bb) cenc, NULL)); } else /* Normal case, everything worked, utf-8 output */ - ap_set_content_type(f->r, "text/html;charset=utf-8"); + ap_set_content_type_ex(f->r, "text/html;charset=utf-8", 1); } ap_fputs(f->next, ctxt->bb, ctxt->cfg->doctype); diff --git a/modules/generators/mod_cgi.c b/modules/generators/mod_cgi.c index 3799b06..61d888d 100644 --- a/modules/generators/mod_cgi.c +++ b/modules/generators/mod_cgi.c @@ -671,7 +671,7 @@ static apr_status_t include_cgi(include_ctx_t *ctx, ap_filter_t *f, /* Force sub_req to be treated as a CGI request, even if ordinary * typing rules would have called it something else. */ - ap_set_content_type(rr, CGI_MAGIC_TYPE); + ap_set_content_type_ex(rr, CGI_MAGIC_TYPE, 1); /* Run it. */ rr_status = ap_run_sub_req(rr); diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c index 1d55b8d..f21eb12 100644 --- a/modules/generators/mod_cgid.c +++ b/modules/generators/mod_cgid.c @@ -1666,7 +1666,7 @@ static apr_status_t include_cgi(include_ctx_t *ctx, ap_filter_t *f, /* Force sub_req to be treated as a CGI request, even if ordinary * typing rules would have called it something else. */ - ap_set_content_type(rr, CGI_MAGIC_TYPE); + ap_set_content_type_ex(rr, CGI_MAGIC_TYPE, 1); /* Run it. */ rr_status = ap_run_sub_req(rr); diff --git a/modules/generators/mod_info.c b/modules/generators/mod_info.c index 1662242..a94e4e4 100644 --- a/modules/generators/mod_info.c +++ b/modules/generators/mod_info.c @@ -784,7 +784,7 @@ static int display_info(request_rec * r) return DECLINED; } - ap_set_content_type(r, "text/html; charset=ISO-8859-1"); + ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); ap_rputs(DOCTYPE_XHTML_1_0T "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n" diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c index 5bada07..2cb38c7 100644 --- a/modules/generators/mod_status.c +++ b/modules/generators/mod_status.c @@ -273,7 +273,7 @@ static int status_handler(request_rec *r) if (r->method_number != M_GET) return DECLINED; - ap_set_content_type(r, "text/html; charset=ISO-8859-1"); + ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); /* * Simple table-driven form data set parser that lets you alter the header @@ -301,7 +301,7 @@ static int status_handler(request_rec *r) no_table_report = 1; break; case STAT_OPT_AUTO: - ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); + ap_set_content_type_ex(r, "text/plain; charset=ISO-8859-1", 1); short_report = 1; break; } diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c index f20aee7..60b44d7 100644 --- a/modules/http/http_filters.c +++ b/modules/http/http_filters.c @@ -1261,7 +1261,7 @@ AP_DECLARE_NONSTD(int) ap_send_http_trace(request_rec *r) } } - ap_set_content_type(r, "message/http"); + ap_set_content_type_ex(r, "message/http", 1); /* Now we recreate the request, and echo it back */ diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c index c31e873..3bc666e 100644 --- a/modules/http/http_protocol.c +++ b/modules/http/http_protocol.c @@ -1443,10 +1443,10 @@ AP_DECLARE(void) ap_send_error_response(request_rec *r, int recursive_error) request_conf->suppress_charset = 1; /* avoid adding default * charset later */ - ap_set_content_type(r, "text/html"); + ap_set_content_type_ex(r, "text/html", 1); } else { - ap_set_content_type(r, "text/html; charset=iso-8859-1"); + ap_set_content_type_ex(r, "text/html; charset=iso-8859-1", 1); } if ((status == HTTP_METHOD_NOT_ALLOWED) diff --git a/modules/http/http_request.c b/modules/http/http_request.c index d59cfe2..71ecc2b 100644 --- a/modules/http/http_request.c +++ b/modules/http/http_request.c @@ -708,7 +708,7 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r) r->args = rr->args; r->finfo = rr->finfo; r->handler = rr->handler; - ap_set_content_type(r, rr->content_type); + ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(r)); r->content_encoding = rr->content_encoding; r->content_languages = rr->content_languages; r->per_dir_config = rr->per_dir_config; diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c index aa0bad1..8c9e587 100644 --- a/modules/ldap/util_ldap.c +++ b/modules/ldap/util_ldap.c @@ -171,7 +171,7 @@ static int util_ldap_handler(request_rec *r) st = (util_ldap_state_t *) ap_get_module_config(r->server->module_config, &ldap_module); - ap_set_content_type(r, "text/html; charset=ISO-8859-1"); + ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); if (r->header_only) return OK; diff --git a/modules/mappers/mod_imagemap.c b/modules/mappers/mod_imagemap.c index 206c0b6..b2dca7e 100644 --- a/modules/mappers/mod_imagemap.c +++ b/modules/mappers/mod_imagemap.c @@ -475,7 +475,7 @@ static int imap_reply(request_rec *r, const char *redirect) static void menu_header(request_rec *r, char *menu) { - ap_set_content_type(r, "text/html; charset=ISO-8859-1"); + ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", ap_escape_html(r->pool, r->uri), diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c index b8b452d..3c0f5a8 100644 --- a/modules/proxy/mod_proxy_balancer.c +++ b/modules/proxy/mod_proxy_balancer.c @@ -1471,7 +1471,7 @@ static void balancer_display_page(request_rec *r, proxy_server_conf *conf, if (usexml) { char date[APR_RFC822_DATE_LEN]; - ap_set_content_type(r, "text/xml"); + ap_set_content_type_ex(r, "text/xml", 1); ap_rputs("<?xml version='1.0' encoding='UTF-8' ?>\n", r); ap_rputs("<httpd:manager xmlns:httpd='http://httpd.apache.org'>\n", r); ap_rputs(" <httpd:balancers>\n", r); |