You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2021/10/07 15:22:08 UTC
[httpd-site] branch main updated: publishing release httpd-2.4.51
This is an automated email from the ASF dual-hosted git repository.
icing pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/httpd-site.git
The following commit(s) were added to refs/heads/main by this push:
new fc7878a publishing release httpd-2.4.51
fc7878a is described below
commit fc7878a34b07c8fedbaffe5d08f8886ee1015142
Author: Stefan Eissing <st...@greenbytes.de>
AuthorDate: Thu Oct 7 17:22:03 2021 +0200
publishing release httpd-2.4.51
---
content/doap.rdf | 4 +-
content/download.md | 24 ++++----
content/index.md | 6 +-
content/security/json/CVE-2021-42013.json | 97 +++++++++++++++++++++++++++++++
4 files changed, 114 insertions(+), 17 deletions(-)
diff --git a/content/doap.rdf b/content/doap.rdf
index 7313618..67addea 100644
--- a/content/doap.rdf
+++ b/content/doap.rdf
@@ -38,8 +38,8 @@
<release>
<Version>
<name>Recommended current 2.4 release</name>
- <created>2021-10-04</created>
- <revision>2.4.50</revision>
+ <created>2021-10-07</created>
+ <revision>2.4.51</revision>
</Version>
</release>
diff --git a/content/download.md b/content/download.md
index a9b9be6..59d504b 100644
--- a/content/download.md
+++ b/content/download.md
@@ -19,7 +19,7 @@ Apache httpd for Microsoft Windows is available from
Stable Release - Latest Version:
-- [2.4.50](#apache24) (released 2021-10-04)
+- [2.4.51](#apache24) (released 2021-10-07)
If you are downloading the Win32 distribution, please read these [important
notes]([preferred]/httpd/binaries/win32/README.html).
@@ -41,11 +41,11 @@ type="submit" value="Change"></input></form>
You may also consult the [complete list of
mirrors](//www.apache.org/mirrors/).
-# Apache HTTP Server 2.4.50 (httpd): 2.4.50 is the latest available version <span>2021-10-04</span> {#apache24}
+# Apache HTTP Server 2.4.51 (httpd): 2.4.51 is the latest available version <span>2021-10-07</span> {#apache24}
The Apache HTTP Server Project is pleased to
[announce](//downloads.apache.org/httpd/Announcement2.4.txt) the
-release of version 2.4.50 of the Apache HTTP Server ("Apache" and "httpd").
+release of version 2.4.51 of the Apache HTTP Server ("Apache" and "httpd").
This version of Apache is our latest GA release of the new generation 2.4.x
branch of Apache HTTPD and represents fifteen years of innovation by the
project, and is recommended over all previous releases!
@@ -53,17 +53,17 @@ project, and is recommended over all previous releases!
For details, see the [Official
Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and
the [CHANGES_2.4]([preferred]/httpd/CHANGES_2.4) and
-[CHANGES_2.4.50]([preferred]/httpd/CHANGES_2.4.50) lists.
+[CHANGES_2.4.51]([preferred]/httpd/CHANGES_2.4.51) lists.
-- Source: [httpd-2.4.50.tar.bz2]([preferred]/httpd/httpd-2.4.50.tar.bz2)
-[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.50.tar.bz2.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.50.tar.bz2.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.50.tar.bz2.sha512) ]
+- Source: [httpd-2.4.51.tar.bz2]([preferred]/httpd/httpd-2.4.51.tar.bz2)
+[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.51.tar.bz2.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.51.tar.bz2.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.51.tar.bz2.sha512) ]
-- Source: [httpd-2.4.50.tar.gz]([preferred]/httpd/httpd-2.4.50.tar.gz) [
-[PGP](https://downloads.apache.org/httpd/httpd-2.4.50.tar.gz.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.50.tar.gz.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.50.tar.gz.sha512) ]
+- Source: [httpd-2.4.51.tar.gz]([preferred]/httpd/httpd-2.4.51.tar.gz) [
+[PGP](https://downloads.apache.org/httpd/httpd-2.4.51.tar.gz.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.51.tar.gz.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.51.tar.gz.sha512) ]
- [Binaries]([preferred]/httpd/binaries/)
diff --git a/content/index.md b/content/index.md
index 5a4c774..081d7f4 100644
--- a/content/index.md
+++ b/content/index.md
@@ -14,11 +14,11 @@ April 1996. It has celebrated its 25th birthday as a project in February 2020.
The Apache HTTP Server is a project of [The Apache Software
Foundation](http://www.apache.org/).
-# Apache httpd 2.4.50 Released <span>2021-10-04</span>
+# Apache httpd 2.4.51 Released <span>2021-10-07</span>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to
[announce](http://downloads.apache.org/httpd/Announcement2.4.html) the
-release of version 2.4.50 of the Apache HTTP Server ("httpd").
+release of version 2.4.51 of the Apache HTTP Server ("httpd").
This latest release from the 2.4.x stable branch represents the best available
version of Apache HTTP Server.
@@ -27,7 +27,7 @@ version of Apache HTTP Server.
Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.
[Download](download.cgi#apache24) | [ChangeLog for
-2.4.50](http://downloads.apache.org/httpd/CHANGES_2.4.50) | [Complete ChangeLog for
+2.4.51](http://downloads.apache.org/httpd/CHANGES_2.4.51) | [Complete ChangeLog for
2.4](http://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in httpd
2.4](docs/trunk/new_features_2_4.html) {.centered}
diff --git a/content/security/json/CVE-2021-42013.json b/content/security/json/CVE-2021-42013.json
new file mode 100644
index 0000000..2a00212
--- /dev/null
+++ b/content/security/json/CVE-2021-42013.json
@@ -0,0 +1,97 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-42013",
+ "STATE": "REVIEW",
+ "TITLE": "Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_name": "Apache HTTP Server",
+ "version_value": "2.4.49"
+ },
+ {
+ "version_affected": "=",
+ "version_name": "Apache HTTP Server",
+ "version_value": "2.4.50"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Reported by Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. \n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\n [...]
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "critical"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-10-06",
+ "value": "reported"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-10-07",
+ "value": "2.4.51 released"
+ }
+ ]
+}