- libxml2 since version 2.12.0 has removed a variable that was specified in the apache
apache mod_xml2enc code.
- This dependency caused the apache2 build to fail with the updated libxml2.
- This patch removes the dependency. It will be able to be removed when the next apache
update is carried out as the patch was created from an apache commit.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.58
Excerpt from changelog:
"Changes with Apache 2.4.58
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST (cve.mitre.org)
When a HTTP/2 stream was reset (RST frame) by a client, there
was a time window were the request's memory resources were not
reclaimed immediately. Instead, de-allocation was deferred to
connection close. A client could send new requests and resets,
keeping the connection busy and open and causing the memory
footprint to keep on growing. On connection close, all resources
were reclaimed, but the process might run out of memory before
that.
This was found by the reporter during testing of CVE-2023-44487
(HTTP/2 Rapid Reset Exploit) with their own test client. During
"normal" HTTP/2 use, the probability to hit this bug is very
low. The kept memory would not become noticeable before the
connection closes or times out.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Will Dormann of Vul Labs
*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
initial windows size 0 (cve.mitre.org)
An attacker, opening a HTTP/2 connection with an initial window
size of 0, was able to block handling of that connection
indefinitely in Apache HTTP Server. This could be used to
exhaust worker resources in the server, similar to the well
known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection
are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through
2.4.57.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Prof. Sven Dietrich (City University of New York)
*) SECURITY: CVE-2023-31122: mod_macro buffer over-read
(cve.mitre.org)
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
Server.This issue affects Apache HTTP Server: through 2.4.57.
Credits: David Shoon (github/davidshoon)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.57
"Changes with Apache 2.4.57
*) mod_proxy: Check before forwarding that a nocanon path has not been
rewritten with spaces during processing. [Yann Ylavic]
*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
double encode encoded slashes in the URL sent by the reverse proxy to the
backend. [Ruediger Pluem]
*) mod_http2: fixed a crash during connection termination. See PR 66539.
[Stefan Eissing]
*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
in a question mark. PR66547. [Eric Covener]
*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
characters on redirections without the "NE" flag.
[Yann Ylavic, Eric Covener]
*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
to the origin server, when using mapping=encoded|servlet. [Yann Ylavic]
*) mod_mime: Do not match the extention against possible query string
parameters in case ProxyPass was used with the nocanon option.
[Ruediger Pluem]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.53
Short summary of the most important SECURITY changes:
"Changes with Apache 2.4.53
*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
(cve.mitre.org)
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
Server allows an attacker to overwrite heap memory with possibly
attacker provided data.
This issue affects Apache HTTP Server 2.4 version 2.4.52 and
prior versions.
Credits: Ronald Crane (Zippenhop LLC)
*) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
very large or unlimited LimitXMLRequestBody (cve.mitre.org)
If LimitXMLRequestBody is set to allow request bodies larger
than 350MB (defaults to 1M) on 32 bit systems an integer
overflow happens which later causes out of bounds writes.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credits: Anonymous working with Trend Micro Zero Day Initiative
*) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
Apache HTTP Server 2.4.52 and earlier fails to close inbound
connection when errors are encountered discarding the request
body, exposing the server to HTTP Request Smuggling
Credits: James Kettle <james.kettle portswigger.net>
*) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
in r:parsebody (cve.mitre.org)
A carefully crafted request body can cause a read to a random
memory area which could cause the process to crash.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credits: Chamal De Silva
..."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
For details see:
https://dlcdn.apache.org//httpd/CHANGES_2.4.52
Excerpt from changelog:
""Changes with Apache 2.4.52
*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
multipart content in mod_lua of Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A carefully crafted request body can cause a buffer overflow in
the mod_lua multipart parser (r:parsebody() called from Lua
scripts).
The Apache httpd team is not aware of an exploit for the
vulnerabilty though it might be possible to craft one.
This issue affects Apache HTTP Server 2.4.51 and earlier.
Credits: Chamal
*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
forward proxy configurations in Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A crafted URI sent to httpd configured as a forward proxy
(ProxyRequests on) can cause a crash (NULL pointer dereference)
or, for configurations mixing forward and reverse proxy
declarations, can allow for requests to be directed to a
declared Unix Domain Socket endpoint (Server Side Request
Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
(included).
Credits: 漂亮é¼
TengMA(@Te3t123)
..."
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated Apache from 2.4.29 to 2.4.33
- Updated Apr from 1.6.1 to 1.6.3
- Updated Apr-Util from 1.6.0 to 1.6.1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated to apache 2.4
- Updated the htpasswd generation to use the more secure bcrypt algorithm
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- APR 1.6.2 is a requirement for building apache httpd 2.4
- APR-Util 1.6.0 is a requirement for building apache httpd 2.4
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixed in Apache httpd 2.2.23
low: XSS in mod_negotiation when untrusted uploads are supported CVE-2012-2687
Note: This issue is also known as CVE-2008-0455.
low: insecure LD_LIBRARY_PATH handling CVE-2012-0883
http://httpd.apache.org/security/vulnerabilities_22.html
Fix six low and moderate security flaws. Most of them are not important for ipfire.
low: mod_setenvif .htaccess privilege escalation CVE-2011-3607
low: mod_log_config crash CVE-2012-0021
low: scoreboard parent DoS CVE-2012-0031
moderate: mod_proxy reverse proxy exposure CVE-2011-4317
moderate: error responses can expose cookies CVE-2012-0053
moderate: mod_proxy reverse proxy exposure CVE-2011-3368
For details check: http://httpd.apache.org/security/vulnerabilities_22.html
