You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2023/03/07 12:50:51 UTC
svn commit: r60480 - in /release/httpd: CHANGES_2.4 CHANGES_2.4.56 CURRENT-IS-2.4.55 CURRENT-IS-2.4.56
Author: covener
Date: Tue Mar 7 12:50:51 2023
New Revision: 60480
Log:
publishing release httpd-2.4.56
Added:
release/httpd/CURRENT-IS-2.4.56
Removed:
release/httpd/CURRENT-IS-2.4.55
Modified:
release/httpd/CHANGES_2.4
release/httpd/CHANGES_2.4.56
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Tue Mar 7 12:50:51 2023
@@ -1,6 +1,37 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.56
+ *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
+ HTTP response splitting (cve.mitre.org)
+ HTTP Response Smuggling vulnerability in Apache HTTP Server via
+ mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
+ 2.4.30 through 2.4.55.
+ Special characters in the origin response header can
+ truncate/split the response forwarded to the client.
+ Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
+
+ *) SECURITY: CVE-2023-25690: HTTP request splitting with
+ mod_rewrite and mod_proxy (cve.mitre.org)
+ Some mod_proxy configurations on Apache HTTP Server versions
+ 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
+ Configurations are affected when mod_proxy is enabled along with
+ some form of RewriteRule
+ or ProxyPassMatch in which a non-specific pattern matches
+ some portion of the user-supplied request-target (URL) data and
+ is then
+ re-inserted into the proxied request-target using variable
+ substitution. For example, something like:
+ RewriteEngine on
+ RewriteRule "^/here/(.*)" "
+ http://example.com:8080/elsewhere?$1"
+ http://example.com:8080/elsewhere ; [P]
+ ProxyPassReverse /here/ http://example.com:8080/
+ http://example.com:8080/
+ Request splitting/smuggling could result in bypass of access
+ controls in the proxy server, proxying unintended URLs to
+ existing origin servers, and cache poisoning.
+ Credits: Lars Krapf of Adobe
+
*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated. [Eric Covener]
Modified: release/httpd/CHANGES_2.4.56
==============================================================================
--- release/httpd/CHANGES_2.4.56 (original)
+++ release/httpd/CHANGES_2.4.56 Tue Mar 7 12:50:51 2023
@@ -1,6 +1,37 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.56
+ *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
+ HTTP response splitting (cve.mitre.org)
+ HTTP Response Smuggling vulnerability in Apache HTTP Server via
+ mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
+ 2.4.30 through 2.4.55.
+ Special characters in the origin response header can
+ truncate/split the response forwarded to the client.
+ Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
+
+ *) SECURITY: CVE-2023-25690: HTTP request splitting with
+ mod_rewrite and mod_proxy (cve.mitre.org)
+ Some mod_proxy configurations on Apache HTTP Server versions
+ 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
+ Configurations are affected when mod_proxy is enabled along with
+ some form of RewriteRule
+ or ProxyPassMatch in which a non-specific pattern matches
+ some portion of the user-supplied request-target (URL) data and
+ is then
+ re-inserted into the proxied request-target using variable
+ substitution. For example, something like:
+ RewriteEngine on
+ RewriteRule "^/here/(.*)" "
+ http://example.com:8080/elsewhere?$1"
+ http://example.com:8080/elsewhere ; [P]
+ ProxyPassReverse /here/ http://example.com:8080/
+ http://example.com:8080/
+ Request splitting/smuggling could result in bypass of access
+ controls in the proxy server, proxying unintended URLs to
+ existing origin servers, and cache poisoning.
+ Credits: Lars Krapf of Adobe
+
*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated. [Eric Covener]
Added: release/httpd/CURRENT-IS-2.4.56
==============================================================================
(empty)