diff --git a/apache2.changes b/apache2.changes index c0ded4c..45657e4 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,224 @@ +------------------------------------------------------------------- +Thu Oct 19 14:23:08 UTC 2023 - David Anes + +- Update to 2.4.58: + *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream + memory not reclaimed right away on RST (cve.mitre.org) + When a HTTP/2 stream was reset (RST frame) by a client, there + was a time window were the request's memory resources were not + reclaimed immediately. Instead, de-allocation was deferred to + connection close. A client could send new requests and resets, + keeping the connection busy and open and causing the memory + footprint to keep on growing. On connection close, all resources + were reclaimed, but the process might run out of memory before + that. + This was found by the reporter during testing of CVE-2023-44487 + (HTTP/2 Rapid Reset Exploit) with their own test client. During + "normal" HTTP/2 use, the probability to hit this bug is very + low. The kept memory would not become noticeable before the + connection closes or times out. + Users are recommended to upgrade to version 2.4.58, which fixes + the issue. + Credits: Will Dormann of Vul Labs + + *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with + initial windows size 0 (cve.mitre.org) + An attacker, opening a HTTP/2 connection with an initial window + size of 0, was able to block handling of that connection + indefinitely in Apache HTTP Server. This could be used to + exhaust worker resources in the server, similar to the well + known "slow loris" attack pattern. + This has been fixed in version 2.4.58, so that such connection + are terminated properly after the configured connection timeout. + This issue affects Apache HTTP Server: from 2.4.55 through + 2.4.57. + Users are recommended to upgrade to version 2.4.58, which fixes + the issue. + Credits: Prof. Sven Dietrich (City University of New York) + + *) SECURITY: CVE-2023-31122: mod_macro buffer over-read + (cve.mitre.org) + Out-of-bounds Read vulnerability in mod_macro of Apache HTTP + Server.This issue affects Apache HTTP Server: through 2.4.57. + Credits: David Shoon (github/davidshoon) + + *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126: + SSL routines::unexpected eof while reading" when using + OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if + available. [Rainer Jung] + + *) mod_http2: improved early cleanup of streams. + [Stefan Eissing] + + *) mod_proxy_http2: improved error handling on connection errors while + response is already underway. + [Stefan Eissing] + + *) mod_http2: fixed a bug that could lead to a crash in main connection + output handling. This occured only when the last request on a HTTP/2 + connection had been processed and the session decided to shut down. + This could lead to an attempt to send a final GOAWAY while the previous + write was still in progress. See PR 66646. + [Stefan Eissing] + + *) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value. + Fixes PR66752. + [Stefan Eissing] + + *) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as + described in RFC 8441. A new directive 'H2WebSockets on|off' has been + added. The feature is by default not enabled. + As also discussed in the manual, this feature should work for setups + using "ProxyPass backend-url upgrade=websocket" without further changes. + Special server modules for WebSockets will have to be adapted, + most likely, as the handling if IO events is different with HTTP/2. + HTTP/2 WebSockets are supported on platforms with native pipes. This + excludes Windows. + [Stefan Eissing] + + *) mod_rewrite: Fix a regression with both a trailing ? and [QSA]. + in OCSP stapling. PR 66672. [Frank Meier , covener] + + *) mod_http2: fixed a bug in flushing pending data on an already closed + connection that could lead to a busy loop, preventing the HTTP/2 session + to close down successfully. Fixed PR 66624. + [Stefan Eissing] + + *) mod_http2: v2.0.15 with the following fixes and improvements + - New directive 'H2EarlyHint name value' to add headers to a response, + picked up already when a "103 Early Hints" response is sent. 'name' and + 'value' must comply to the HTTP field restrictions. + This directive can be repeated several times and header fields of the + same names add. Sending a 'Link' header with 'preload' relation will + also cause a HTTP/2 PUSH if enabled and supported by the client. + - Fixed an issue where requests were not logged and accounted in a timely + fashion when the connection returns to "keepalive" handling, e.g. when + the request served was the last outstanding one. + This led to late appearance in access logs with wrong duration times + reported. + - Accurately report the bytes sent for a request in the '%O' Log format. + This addresses #203, a long outstanding issue where mod_h2 has reported + numbers over-eagerly from internal buffering and not what has actually + been placed on the connection. + The numbers are now the same with and without H2CopyFiles enabled. + [Stefan Eissing] + + *) mod_proxy_http2: fix retry handling to not leak temporary errors. + On detecting that that an existing connection was shutdown by the other + side, a 503 response leaked even though the request was retried on a + fresh connection. + [Stefan Eissing] + + *) mod_rewrite: Add server directory to include path as mod_rewrite requires + test_char.h. PR 66571 [Valeria Petrov ] + + *) mod_http2: new directive `H2ProxyRequests on|off` to enable handling + of HTTP/2 requests in a forward proxy configuration. + General forward proxying is enabled via `ProxyRequests`. If the + HTTP/2 protocol is also enabled for such a server/host, this new + directive is needed in addition. + [Stefan Eissing] + + *) core: Updated conf/mime.types: + - .js moved from 'application/javascript' to 'text/javascript' + - .mjs was added as 'text/javascript' + - add .opus ('audio/ogg') + - add 'application/vnd.geogebra.slides' + - add WebAssembly MIME types and extension + [Mathias Bynens <@mathiasbynens> via PR 318, + Richard de Boer , Dave Hodder , + Zbynek Konecny ] + + *) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend + connection when sending data on the frontend one. This caused crashes + or infinite loops in rare situations. + *) mod_proxy_http2: fixed a bug in retry/response handling that could lead + to wrong status codes or HTTP messages send at the end of response bodies + exceeding the announced content-length. + *) mod_proxy_http2: fix retry handling to not leak temporary errors. + On detecting that that an existing connection was shutdown by the other + side, a 503 response leaked even though the request was retried on a + fresh connection. + *) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in + the wrong order when a bucket_beam was destroyed. + [Stefan Eissing] + + *) mod_http2: avoid double chunked-encoding on internal redirects. + PR 66597 [Yann Ylavic, Stefan Eissing] + + *) mod_http2: Fix reporting of `Total Accesses` in server-status to not count + HTTP/2 requests twice. Fixes PR 66801. + [Stefan Eissing] + + *) mod_ssl: Fix handling of Certificate Revoked messages + in OCSP stapling. PR 66626. [] + + *) mod_http2: fixed a bug in handling of stream timeouts. + [Stefan Eissing] + + *) mod_tls: updating to rustls-ffi version 0.9.2 or higher. + Checking in configure for proper version installed. Code + fixes for changed clienthello member name. + [Stefan Eissing] + + *) mod_md: + - New directive `MDMatchNames all|servernames` to allow more control over how + MDomains are matched to VirtualHosts. + - New directive `MDChallengeDns01Version`. Setting this to `2` will provide + the command also with the challenge value on `teardown` invocation. In version + 1, the default, only the `setup` invocation gets this parameter. + Refs #312. Thanks to @domrim for the idea. + - For Managed Domain in "manual" mode, the checks if all used ServerName and + ServerAlias are part of the MDomain now reports a warning instead of an error + (AH10040) when not all names are present. + - MDChallengeDns01 can now be configured for individual domains. + Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working + - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge + teardown not being invoked as it should. + + *) mod_ldap: Avoid performance overhead of APR-util rebind cache for + OpenLDAP 2.2+. PR 64414. [Joe Orton] + + *) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum + amount of response body bytes put into a single HTTP/2 DATA frame. + Setting this to 0 places no limit (but the max size allowed by the + protocol is observed). + The module, by default, tries to use the maximum size possible, which is + somewhat around 16KB. This sets the maximum. When less response data is + available, smaller frames will be sent. + + *) mod_md: fixed passing of the server environment variables to programs + started via MDMessageCmd and MDChallengeDns01 on *nix system. + See . + [Stefan Eissing] + + *) mod_dav: Add DavBasePath directive to configure the repository root + path. PR 35077. [Joe Orton] + + *) mod_alias: Add AliasPreservePath directive to map the full + path after the alias in a location. [Graham Leggett] + + *) mod_alias: Add RedirectRelative to allow relative redirect targets to be + issued as-is. [Eric Covener, Graham Leggett] + + *) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make + sure that if the format is configured early enough it applies to every log + line. PR 62161. [Yann Ylavic] + + *) mod_deflate: Add DeflateAlterETag to control how the ETag + is modified. The 'NoChange' parameter mimics 2.2.x behavior. + PR 45023, PR 39727. [Eric Covener] + + *) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet] + + *) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers". + Resolve inconsistency between the previous two occurrences by + counting workers in state SERVER_GRACEFUL no longer as busy, + but instead in a new counter "GracefulWorkers" (or on HTML + view as "workers gracefully restarting"). Also add the graceful + counter as a new column to the existing HTML per process table + for async MPMs. PR 63300. [Rainer Jung] + ------------------------------------------------------------------- Sat Aug 5 11:44:23 UTC 2023 - Dirk Stoecker diff --git a/apache2.spec b/apache2.spec index 6987693..0cb98eb 100644 --- a/apache2.spec +++ b/apache2.spec @@ -107,7 +107,7 @@ %define build_http2 1 Name: apache2%{psuffix} -Version: 2.4.57 +Version: 2.4.58 Release: 0 Summary: The Apache HTTPD Server License: Apache-2.0 diff --git a/httpd-2.4.57.tar.bz2 b/httpd-2.4.57.tar.bz2 deleted file mode 100644 index 953663d..0000000 --- a/httpd-2.4.57.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dbccb84aee95e095edfbb81e5eb926ccd24e6ada55dcd83caecb262e5cf94d2a -size 7457022 diff --git a/httpd-2.4.57.tar.bz2.asc b/httpd-2.4.57.tar.bz2.asc deleted file mode 100644 index 5d25946..0000000 --- a/httpd-2.4.57.tar.bz2.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmQpqJUACgkQgngd5G1Z -VPrSqhAAge2udhX49FI9zwhoxeCND0dxB/DZ8vWc6MbDryYUYZBA2+o7cvwSRSdZ -fxghFliJUWDSDD7YFjIrsAKPcjdKS2vn6+vmNRU05dw+JoZuQuyzg9PMuEOo3qRN -poVd7SsxFhAT3ow6+j2ns3ei+B87BWrgkN6P2A4UNiUKKej+EACL3JnrOGbcPoLa -ThEdphd5B6qTegw3Sz3aHgJ06833mH5KdrUNXwjmhsZCdgmBORyepjAQFKQChOq6 -JExsk/PTPgy0KX27IWMgrgQohW0zEzr8BtrZsu+DXxuhjen7bKm06uEoYDCR6xF1 -gu/oGBLVuDkktnRfleGUtmXoJ+yVMyz06ILL/ka5Jy3ob8sdWqD37oAcGQJeZYog -uUnW+FoCmfv6uLRxZbFr2SCr2Jc8cnI45cPpppG0OraBJHHja99W60lInDpjFvHF -U9Ev+UNU3PwtYuIhwp8tJB61cnQzxyH0Frt5lQfXxPKWTuFY3MSuoNJi1x3IqZvx -fan2kxN0R0RyvXOhD6eJcQpydRHNDj/zgIo46gL7XRPB4aFBZRPyXwTVejcT6juL -CHX/AUk18DIlBd+X7wJ115UQg9m6bABrj+Jg6ujoTb62Vstuju3P6XJ/qbCpGQcY -ZyLOwbFiDD8CMm06ELQixDa9momkXXWH6mH+cEQDkPl+Scz5pf0= -=qbuf ------END PGP SIGNATURE----- diff --git a/httpd-2.4.58.tar.bz2 b/httpd-2.4.58.tar.bz2 new file mode 100644 index 0000000..6c29532 --- /dev/null +++ b/httpd-2.4.58.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fa16d72a078210a54c47dd5bef2f8b9b8a01d94909a51453956b3ec6442ea4c5 +size 7485817 diff --git a/httpd-2.4.58.tar.bz2.asc b/httpd-2.4.58.tar.bz2.asc new file mode 100644 index 0000000..5945b61 --- /dev/null +++ b/httpd-2.4.58.tar.bz2.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmUtUXcACgkQ03fJ59GU +TGZJnA/+KAE23IcOsePVK93RsfY2pCXvrQWH2vRaPQOV68lMMyI9I3D7Dd6ZbOIL +kfdcuMydaOzkwAzgM9dgfC2PF5rO/8LDHtieBRfLNVjcK7ngatZLzRU+2qARk4PG +bxfnpVzpnshBTkMuQ0C3nr6mi+bXQgdbbSLXGS5SOBqckBMfkpEXzArU8PU0EQwT +u3Id+eAqWtxXtwRKz+lRNwLzmyiXc8a1YwXJh5d2ldrL+WlFA1cts+k3nR5YPzF1 +QsHLkoTuiAbXpRYHJg83AAENVxYPvwttIdthLeQtUgV6dcoiAuJzOt0/EBnUN5B3 +J+T10z4zvXN0MogTVceAFfySZ6fQrR5PXs3raepDjo/AtVH9dvSQdXhpOGtyiCI9 +4eabSL69Z7r+Nr3UzVLVYb4Uan5Z7G1UkKQNxJVJSR4mzitf1d3Fylw52ivBGnLv +OMcY1/b3Kx0m69dIiIlLPnG7UMgHwqgYcxJKomjI9opdobmpK42u8ZjOEYFoNAtk +sINfcehp83WwxdDuvpuSFNYWQXGhKONAZIyCW8lAuFWBG8oXra5osWY176OSUGTu +Ah+pM1NlbwL45r5kw+3t4L/3Hhx+dDqtI8jrQYReN/u4dBuIcqqLT1Ik2WjBuTyE +QiY/ZOzdxO7UAGYvgFyMHX+KsuqrxZKHd1JN2+TzHhEtstSICnE= +=CtTT +-----END PGP SIGNATURE-----