From e5260a81260d593ababfa53fcd8b82c42f30fa8b Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 1 Jul 2024 19:06:36 +0200 Subject: Merging upstream version 2.4.60. Signed-off-by: Daniel Baumann --- CHANGES | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) (limited to 'CHANGES') diff --git a/CHANGES b/CHANGES index 5c6a28b..a1cf74d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,79 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.60 + + *) mod_proxy: Fix DNS requests and connections closed before the + configured addressTTL. BZ 69126. [Yann Ylavic] + + *) core: On Linux, log the real thread ID in error logs. [Joe Orton] + + *) core: Support zone/scope in IPv6 link-local addresses in Listen and + VirtualHost directives (requires APR 1.7.x or later). PR 59396 + [Joe Orton] + + *) mod_ssl: Reject client-initiated renegotiation with a TLS alert + (rather than connection closure). [Joe Orton, Yann Ylavic] + + *) Updated mime.types. [Mohamed Akram , + Adam Silverstein ] + + *) mod_ssl: Fix a regression that causes the default DH parameters for a key + no longer set and thus effectively disabling DH ciphers when no explicit + DH parameters are set. PR 68863 [Ruediger Pluem] + + *) mod_cgid: Optional support for file descriptor passing, fixing + error log handling (configure --enable-cgid-fdpassing) on Unix + platforms. PR 54221. [Joe Orton] + + *) mod_cgid/mod_cgi: Distinguish script stderr output clearly in + error logs. PR 61980. [Hank Ibell ] + + *) mod_tls: update version of rustls-ffi to v0.13.0. + [Daniel McCarney (@cpu}] + + *) mod_md: + - Using OCSP stapling information to trigger certificate renewals. Proposed + by @frasertweedale. + - Added directive `MDCheckInterval` to control how often the server checks + for detected revocations. Added proposals for configurations in the + README.md chapter "Revocations". + - OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is + allowed in RFC 6960. Treat those as having an update interval of 12 hours. + Added by @frasertweedale. + - Adapt OpenSSL usage to changes in their API. By Yann Ylavic. + Changes with Apache 2.4.59 + *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by + memory exhaustion on endless continuation frames (cve.mitre.org) + HTTP/2 incoming headers exceeding the limit are temporarily + buffered in nghttp2 in order to generate an informative HTTP 413 + response. If a client does not stop sending headers, this leads + to memory exhaustion. + Credits: Bartek Nowotarski (https://nowotarski.info/) + + *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response + Splitting in multiple modules (cve.mitre.org) + HTTP Response splitting in multiple modules in Apache HTTP + Server allows an attacker that can inject malicious response + headers into backend applications to cause an HTTP + desynchronization attack. + + After this change, CGI-like scripts cannot set Transfer-Encoding + or Content-Length headers. To restore the ability to set Content-Length + header, set per-request environment variable 'ap_trust_cgilike_cl' to any + non-empty value. + + Credits: Keran Mu, Tsinghua University and Zhongguancun + Laboratory. + + *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response + splitting (cve.mitre.org) + Faulty input validation in the core of Apache allows malicious + or exploitable backend/content generators to split HTTP + responses. + This issue affects Apache HTTP Server: through 2.4.58. + Credits: Orange Tsai (@orange_8361) from DEVCORE + *) mod_deflate: Fixes and better logging for handling various error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton, Eric Norris ] -- cgit v1.2.3