diff options
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 34 |
1 files changed, 33 insertions, 1 deletions
@@ -1,6 +1,38 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.62 + + *) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for + "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets + with BalancerMember(s). PR 69168. [Yann Ylavic] + + *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs. + PR 69160 [Yann Ylavic] + + *) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2. + [Joe Orton] + + *) mod_ssl: Add support for loading certs/keys from pkcs11: URIs + via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>] + + *) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0. + [Ruediger Pluem, Yann Ylavic] + + *) mpm_worker: Fix possible warning (AH00045) about children processes not + terminating timely. [Yann Ylavic] + Changes with Apache 2.4.61 + *) SECURITY: CVE-2024-39884: Apache HTTP Server: source code + disclosure with handlers configured via AddType (cve.mitre.org) + A regression in the core of Apache HTTP Server 2.4.60 ignores + some use of the legacy content-type based configuration of + handlers. "AddType" and similar configuration, under some + circumstances where files are requested indirectly, result in + source code disclosure of local content. For example, PHP + scripts may be served instead of interpreted. + Users are recommended to upgrade to version 2.4.61, which fixes + this issue. + Changes with Apache 2.4.60 *) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy @@ -67,7 +99,7 @@ Changes with Apache 2.4.60 crafted requests. Credits: Orange Tsai (@orange_8361) from DEVCORE - *) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF + *) SECURITY: CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF (cve.mitre.org) SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious |