You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2021/10/05 08:10:52 UTC
[httpd-site] branch main updated: release 2.4.50
This is an automated email from the ASF dual-hosted git repository.
icing pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/httpd-site.git
The following commit(s) were added to refs/heads/main by this push:
new 8bef3e8 release 2.4.50
8bef3e8 is described below
commit 8bef3e82655b4c8c74db735f429dcdc6ffbe26fc
Author: Stefan Eissing <st...@greenbytes.de>
AuthorDate: Tue Oct 5 10:10:42 2021 +0200
release 2.4.50
---
content/doap.rdf | 4 +-
content/download.md | 24 +++---
content/index.md | 6 +-
content/security/json/CVE-2021-41524.json | 102 ++++++++++++++++++++++++
content/security/json/CVE-2021-41773.json | 124 ++++++++++++++++++++++++++++++
5 files changed, 243 insertions(+), 17 deletions(-)
diff --git a/content/doap.rdf b/content/doap.rdf
index 30ff257..7313618 100644
--- a/content/doap.rdf
+++ b/content/doap.rdf
@@ -38,8 +38,8 @@
<release>
<Version>
<name>Recommended current 2.4 release</name>
- <created>2021-09-16</created>
- <revision>2.4.49</revision>
+ <created>2021-10-04</created>
+ <revision>2.4.50</revision>
</Version>
</release>
diff --git a/content/download.md b/content/download.md
index 57c5bf8..a9b9be6 100644
--- a/content/download.md
+++ b/content/download.md
@@ -19,7 +19,7 @@ Apache httpd for Microsoft Windows is available from
Stable Release - Latest Version:
-- [2.4.49](#apache24) (released 2021-09-16)
+- [2.4.50](#apache24) (released 2021-10-04)
If you are downloading the Win32 distribution, please read these [important
notes]([preferred]/httpd/binaries/win32/README.html).
@@ -41,11 +41,11 @@ type="submit" value="Change"></input></form>
You may also consult the [complete list of
mirrors](//www.apache.org/mirrors/).
-# Apache HTTP Server 2.4.49 (httpd): 2.4.49 is the latest available version <span>2021-09-16</span> {#apache24}
+# Apache HTTP Server 2.4.50 (httpd): 2.4.50 is the latest available version <span>2021-10-04</span> {#apache24}
The Apache HTTP Server Project is pleased to
[announce](//downloads.apache.org/httpd/Announcement2.4.txt) the
-release of version 2.4.49 of the Apache HTTP Server ("Apache" and "httpd").
+release of version 2.4.50 of the Apache HTTP Server ("Apache" and "httpd").
This version of Apache is our latest GA release of the new generation 2.4.x
branch of Apache HTTPD and represents fifteen years of innovation by the
project, and is recommended over all previous releases!
@@ -53,17 +53,17 @@ project, and is recommended over all previous releases!
For details, see the [Official
Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and
the [CHANGES_2.4]([preferred]/httpd/CHANGES_2.4) and
-[CHANGES_2.4.49]([preferred]/httpd/CHANGES_2.4.49) lists.
+[CHANGES_2.4.50]([preferred]/httpd/CHANGES_2.4.50) lists.
-- Source: [httpd-2.4.49.tar.bz2]([preferred]/httpd/httpd-2.4.49.tar.bz2)
-[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.49.tar.bz2.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.49.tar.bz2.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.49.tar.bz2.sha512) ]
+- Source: [httpd-2.4.50.tar.bz2]([preferred]/httpd/httpd-2.4.50.tar.bz2)
+[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.50.tar.bz2.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.50.tar.bz2.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.50.tar.bz2.sha512) ]
-- Source: [httpd-2.4.49.tar.gz]([preferred]/httpd/httpd-2.4.49.tar.gz) [
-[PGP](https://downloads.apache.org/httpd/httpd-2.4.49.tar.gz.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.49.tar.gz.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.49.tar.gz.sha512) ]
+- Source: [httpd-2.4.50.tar.gz]([preferred]/httpd/httpd-2.4.50.tar.gz) [
+[PGP](https://downloads.apache.org/httpd/httpd-2.4.50.tar.gz.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.50.tar.gz.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.50.tar.gz.sha512) ]
- [Binaries]([preferred]/httpd/binaries/)
diff --git a/content/index.md b/content/index.md
index 7f902f6..5a4c774 100644
--- a/content/index.md
+++ b/content/index.md
@@ -14,11 +14,11 @@ April 1996. It has celebrated its 25th birthday as a project in February 2020.
The Apache HTTP Server is a project of [The Apache Software
Foundation](http://www.apache.org/).
-# Apache httpd 2.4.49 Released <span>2021-09-16</span>
+# Apache httpd 2.4.50 Released <span>2021-10-04</span>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to
[announce](http://downloads.apache.org/httpd/Announcement2.4.html) the
-release of version 2.4.49 of the Apache HTTP Server ("httpd").
+release of version 2.4.50 of the Apache HTTP Server ("httpd").
This latest release from the 2.4.x stable branch represents the best available
version of Apache HTTP Server.
@@ -27,7 +27,7 @@ version of Apache HTTP Server.
Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.
[Download](download.cgi#apache24) | [ChangeLog for
-2.4.49](http://downloads.apache.org/httpd/CHANGES_2.4.49) | [Complete ChangeLog for
+2.4.50](http://downloads.apache.org/httpd/CHANGES_2.4.50) | [Complete ChangeLog for
2.4](http://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in httpd
2.4](docs/trunk/new_features_2_4.html) {.centered}
diff --git a/content/security/json/CVE-2021-41524.json b/content/security/json/CVE-2021-41524.json
new file mode 100644
index 0000000..e1d642c
--- /dev/null
+++ b/content/security/json/CVE-2021-41524.json
@@ -0,0 +1,102 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-41524",
+ "STATE": "REVIEW",
+ "TITLE": "null pointer dereference in h2 fuzzing"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_value": "2.4.49"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Apache httpd team would like to thank LI ZHI XIN from NSFocus Security Team for reporting this issue."
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing,\nallowing an external source to DoS the server. This requires a specially crafted request. \n\nThe vulnerability was recently introduced in version 2.4.49. No exploit is known to the project."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "moderate"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-476 NULL Pointer Dereference"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-09-17",
+ "value": "reported by Gerald Lee"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-09-26",
+ "value": "fixed by r1893655 in 2.4.x"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-10-04",
+ "value": "2.4.50 released"
+ }
+ ],
+ "work_around": [
+ {
+ "lang": "eng",
+ "value": "Disable the HTTP/2 protocol."
+ }
+ ]
+}
diff --git a/content/security/json/CVE-2021-41773.json b/content/security/json/CVE-2021-41773.json
new file mode 100644
index 0000000..0e4a2d0
--- /dev/null
+++ b/content/security/json/CVE-2021-41773.json
@@ -0,0 +1,124 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "CVE_data_meta": {
+ "ID": "CVE-2021-41773",
+ "ASSIGNER": "security@apache.org",
+ "DATE_PUBLIC": "",
+ "TITLE": "Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49",
+ "AKA": "",
+ "STATE": "REVIEW"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "Apache HTTP Server 2.4",
+ "version_affected": "=",
+ "version_value": "2.4.49",
+ "platform": ""
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+ }
+ ]
+ }
+ ]
+ },
+ "description": {
+ "description_data": [
+ {
+ "value": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. \n\nIf files outside of the document root are not protected by \"require all denied\" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.\n\nThis issue is known to be exploited in the wild.\n\nThis issue only affects Apache [...]
+ "lang": "eng"
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM",
+ "url": "",
+ "name": ""
+ }
+ ]
+ },
+ "configuration": [],
+ "impact": [
+ {
+ "other": "important"
+ }
+ ],
+ "exploit": [],
+ "work_around": [],
+ "solution": [],
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "This issue was reported by Ash Daulton along with the cPanel Security Team"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd",
+ "publish": {
+ "ym": "",
+ "year": "",
+ "month": ""
+ },
+ "share_with_CVE": true,
+ "CVE_table_description": [],
+ "CVE_list": [],
+ "internal_comments": "",
+ "todo": [],
+ "emailed": "",
+ "userslist": "",
+ "email": ""
+ },
+ "timeline": [
+ {
+ "time": "2021-09-29",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2021-10-01",
+ "lang": "eng",
+ "value": "fixed by r1893775 in 2.4.50"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-10-04",
+ "value": "2.4.50 released"
+ }
+ ]
+}