You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ja...@apache.org on 2021/06/01 20:04:52 UTC

svn commit: r1890370 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS

Author: jailletc36
Date: Tue Jun  1 20:04:51 2021
New Revision: 1890370

URL: http://svn.apache.org/viewvc?rev=1890370&view=rev
Log:
Updates for announcement of 

Modified:
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/STATUS

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1890370&r1=1890369&r2=1890370&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Jun  1 20:04:51 2021
@@ -11,6 +11,9 @@ Changes with Apache 2.4.49
 
 Changes with Apache 2.4.48
 
+  *) SECURITY: CVE-2021-31618 (cve.mitre.org)
+     mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov]
+
   *) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
      fallback to mod_proxy_http for WebSocket upgrade and tunneling.
      [Yann Ylavic]
@@ -136,6 +139,33 @@ Changes with Apache 2.4.48
 
 Changes with Apache 2.4.47
 
+  *) SECURITY: CVE-2021-30641 (cve.mitre.org)
+     Unexpected <Location> section matching with 'MergeSlashes OFF'
+
+  *) SECURITY: CVE-2020-35452 (cve.mitre.org)
+     mod_auth_digest: possible stack overflow by one nul byte while validating
+     the Digest nonce.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-26691 (cve.mitre.org)
+     mod_session: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service with a malicious backend
+     server and SessionHeader.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-26690 (cve.mitre.org)
+     mod_session: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-13950 (cve.mitre.org)
+     mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-13938 (cve.mitre.org)
+     Windows: Prevent local users from stopping the httpd process [Ivan Zhakov]
+
+  *) SECURITY: CVE-2019-17567 (cve.mitre.org)
+     mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
+     negotiation.  [Yann Ylavic]
+
   *) mod_dav_fs: Improve logging output when failing to open files for
      writing.  PR 64413.  [Bingyu Shen <ahshenbingyu gmail.com>]
 
@@ -195,22 +225,13 @@ Changes with Apache 2.4.47
   *) mod_authnz_ldap: Prevent authentications with empty passwords for the
      initial bind to fail with status 500. [Ruediger Pluem]
 
-  *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
-     the format can't match anyway.  [Yann Ylavic]
-
   *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
      Transfer-Encoding from the client, spooling the request body when needed
      to provide a Content-Length to the backend.  PR 57087.  [Yann Ylavic]
 
-  *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
-     proxy_util.  [Yann Ylavic]
-
   *) mod_proxy: Improve tunneling loop to support half closed connections and
      pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
 
-  *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
-     and switched protocol forwarding.  [Yann Ylavic]
-
   *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
      allowing for (non-)Upgrade negotiation with the origin server.
      [Yann Ylavic]

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1890370&r1=1890369&r2=1890370&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Tue Jun  1 20:04:51 2021
@@ -30,7 +30,7 @@ Release history:
           while x.{even}.z versions are Stable/GA releases.]
 
     2.4.49  : In development
-    2.4.48  : Tagged on May 17, 2021
+    2.4.48  : Tagged on May 17, 2021. Released on June 01, 2021.
     2.4.47  : Tagged on April 22, 2021. Distributed on April 28, 2021,
               not announced.
     2.4.46  : Tagged on August 01, 2020. Released on August 07, 2020.