You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ja...@apache.org on 2021/06/01 20:04:26 UTC
svn commit: r48071 - in /release/httpd: Announcement2.4.html
Announcement2.4.txt CHANGES_2.4 CHANGES_2.4.48 CURRENT-IS-2.4.46
CURRENT-IS-2.4.48
Author: jailletc36
Date: Tue Jun 1 20:04:26 2021
New Revision: 48071
Log:
Updates for announcement of
Added:
release/httpd/CURRENT-IS-2.4.48
Removed:
release/httpd/CURRENT-IS-2.4.46
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
release/httpd/CHANGES_2.4
release/httpd/CHANGES_2.4.48
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Tue Jun 1 20:04:26 2021
@@ -52,7 +52,7 @@
Apache HTTP Server 2.4.48 Released
</h1>
<p>
- September 21, 2018
+ June 01, 2021
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
@@ -62,7 +62,7 @@
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a feature and bug fix release.
+ a security, feature and bug fix release.
</p>
<p>
We consider this release to be the best version of Apache available, and
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Tue Jun 1 20:04:26 2021
@@ -1,6 +1,6 @@
Apache HTTP Server 2.4.48 Released
- September 21, 2018
+ June 01, 2021
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.48 of the Apache
@@ -8,7 +8,7 @@
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a feature and bug fix release.
+ a security, feature and bug fix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Tue Jun 1 20:04:26 2021
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.48
+ *) SECURITY: CVE-2021-31618 (cve.mitre.org)
+ mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov]
+
*) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
fallback to mod_proxy_http for WebSocket upgrade and tunneling.
[Yann Ylavic]
@@ -126,6 +129,33 @@ Changes with Apache 2.4.48
Changes with Apache 2.4.47
+ *) SECURITY: CVE-2021-30641 (cve.mitre.org)
+ Unexpected <Location> section matching with 'MergeSlashes OFF'
+
+ *) SECURITY: CVE-2020-35452 (cve.mitre.org)
+ mod_auth_digest: possible stack overflow by one nul byte while validating
+ the Digest nonce. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-26691 (cve.mitre.org)
+ mod_session: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service with a malicious backend
+ server and SessionHeader. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-26690 (cve.mitre.org)
+ mod_session: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-13950 (cve.mitre.org)
+ mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-13938 (cve.mitre.org)
+ Windows: Prevent local users from stopping the httpd process [Ivan Zhakov]
+
+ *) SECURITY: CVE-2019-17567 (cve.mitre.org)
+ mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
+ negotiation. [Yann Ylavic]
+
*) mod_dav_fs: Improve logging output when failing to open files for
writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
@@ -185,22 +215,13 @@ Changes with Apache 2.4.47
*) mod_authnz_ldap: Prevent authentications with empty passwords for the
initial bind to fail with status 500. [Ruediger Pluem]
- *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
- the format can't match anyway. [Yann Ylavic]
-
*) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
Transfer-Encoding from the client, spooling the request body when needed
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
- *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
- proxy_util. [Yann Ylavic]
-
*) mod_proxy: Improve tunneling loop to support half closed connections and
pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
- *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
- and switched protocol forwarding. [Yann Ylavic]
-
*) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
allowing for (non-)Upgrade negotiation with the origin server.
[Yann Ylavic]
Modified: release/httpd/CHANGES_2.4.48
==============================================================================
--- release/httpd/CHANGES_2.4.48 (original)
+++ release/httpd/CHANGES_2.4.48 Tue Jun 1 20:04:26 2021
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.48
+ *) SECURITY: CVE-2021-31618 (cve.mitre.org)
+ mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov]
+
*) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
fallback to mod_proxy_http for WebSocket upgrade and tunneling.
[Yann Ylavic]
@@ -126,6 +129,33 @@ Changes with Apache 2.4.48
Changes with Apache 2.4.47
+ *) SECURITY: CVE-2021-30641 (cve.mitre.org)
+ Unexpected <Location> section matching with 'MergeSlashes OFF'
+
+ *) SECURITY: CVE-2020-35452 (cve.mitre.org)
+ mod_auth_digest: possible stack overflow by one nul byte while validating
+ the Digest nonce. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-26691 (cve.mitre.org)
+ mod_session: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service with a malicious backend
+ server and SessionHeader. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-26690 (cve.mitre.org)
+ mod_session: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-13950 (cve.mitre.org)
+ mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-13938 (cve.mitre.org)
+ Windows: Prevent local users from stopping the httpd process [Ivan Zhakov]
+
+ *) SECURITY: CVE-2019-17567 (cve.mitre.org)
+ mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
+ negotiation. [Yann Ylavic]
+
*) mod_dav_fs: Improve logging output when failing to open files for
writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
@@ -185,22 +215,13 @@ Changes with Apache 2.4.47
*) mod_authnz_ldap: Prevent authentications with empty passwords for the
initial bind to fail with status 500. [Ruediger Pluem]
- *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
- the format can't match anyway. [Yann Ylavic]
-
*) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
Transfer-Encoding from the client, spooling the request body when needed
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
- *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
- proxy_util. [Yann Ylavic]
-
*) mod_proxy: Improve tunneling loop to support half closed connections and
pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
- *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
- and switched protocol forwarding. [Yann Ylavic]
-
*) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
allowing for (non-)Upgrade negotiation with the origin server.
[Yann Ylavic]
@@ -262,3 +283,13 @@ Changes with Apache 2.4.47
connection reuse is disabled by default to avoid compatibility issues.
[Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
Added: release/httpd/CURRENT-IS-2.4.48
==============================================================================
(empty)