You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2023/03/07 12:50:59 UTC
[httpd-site] branch main updated: publishing release httpd-2.4.56
This is an automated email from the ASF dual-hosted git repository.
covener pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/httpd-site.git
The following commit(s) were added to refs/heads/main by this push:
new 460f6c2 publishing release httpd-2.4.56
460f6c2 is described below
commit 460f6c2f3cd8ed25b1d21427a89e84ae1eee6cc3
Author: Eric Covener <ec...@us.ibm.com>
AuthorDate: Tue Mar 7 07:50:53 2023 -0500
publishing release httpd-2.4.56
---
content/doap.rdf | 4 +-
content/download.md | 24 +++----
content/index.md | 6 +-
content/security/json/CVE-2023-25690.json | 103 ++++++++++++++++++++++++++++++
content/security/json/CVE-2023-27522.json | 101 +++++++++++++++++++++++++++++
5 files changed, 221 insertions(+), 17 deletions(-)
diff --git a/content/doap.rdf b/content/doap.rdf
index 287c18c..15ee6ca 100644
--- a/content/doap.rdf
+++ b/content/doap.rdf
@@ -38,8 +38,8 @@
<release>
<Version>
<name>Recommended current 2.4 release</name>
- <created>2023-01-17</created>
- <revision>2.4.55</revision>
+ <created>2023-03-07</created>
+ <revision>2.4.56</revision>
</Version>
</release>
diff --git a/content/download.md b/content/download.md
index 96a9657..4dd4e4c 100644
--- a/content/download.md
+++ b/content/download.md
@@ -19,16 +19,16 @@ Apache httpd for Microsoft Windows is available from
Stable Release - Latest Version:
-- [2.4.55](#apache24) (released 2023-01-17)
+- [2.4.56](#apache24) (released 2023-03-07)
If you are downloading the Win32 distribution, please read these [important
notes]([preferred]httpd/binaries/win32/README.html).
-# Apache HTTP Server 2.4.55 (httpd): 2.4.55 is the latest available version <span>2023-01-17</span> {#apache24}
+# Apache HTTP Server 2.4.56 (httpd): 2.4.56 is the latest available version <span>2023-03-07</span> {#apache24}
The Apache HTTP Server Project is pleased to
[announce](//downloads.apache.org/httpd/Announcement2.4.txt) the
-release of version 2.4.55 of the Apache HTTP Server ("Apache" and "httpd").
+release of version 2.4.56 of the Apache HTTP Server ("Apache" and "httpd").
This version of Apache is our latest GA release of the new generation 2.4.x
branch of Apache HTTPD and represents fifteen years of innovation by the
project, and is recommended over all previous releases!
@@ -36,17 +36,17 @@ project, and is recommended over all previous releases!
For details, see the [Official
Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and
the [CHANGES_2.4]([preferred]httpd/CHANGES_2.4) and
-[CHANGES_2.4.55]([preferred]httpd/CHANGES_2.4.55) lists.
+[CHANGES_2.4.56]([preferred]httpd/CHANGES_2.4.56) lists.
-- Source: [httpd-2.4.55.tar.bz2]([preferred]httpd/httpd-2.4.55.tar.bz2)
-[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.55.tar.bz2.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.55.tar.bz2.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.55.tar.bz2.sha512) ]
+- Source: [httpd-2.4.56.tar.bz2]([preferred]httpd/httpd-2.4.56.tar.bz2)
+[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.56.tar.bz2.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.56.tar.bz2.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.56.tar.bz2.sha512) ]
-- Source: [httpd-2.4.55.tar.gz]([preferred]httpd/httpd-2.4.55.tar.gz) [
-[PGP](https://downloads.apache.org/httpd/httpd-2.4.55.tar.gz.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.55.tar.gz.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.55.tar.gz.sha512) ]
+- Source: [httpd-2.4.56.tar.gz]([preferred]httpd/httpd-2.4.56.tar.gz) [
+[PGP](https://downloads.apache.org/httpd/httpd-2.4.56.tar.gz.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.56.tar.gz.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.56.tar.gz.sha512) ]
- [Binaries]([preferred]httpd/binaries/)
diff --git a/content/index.md b/content/index.md
index 187ff18..2b611b7 100644
--- a/content/index.md
+++ b/content/index.md
@@ -14,11 +14,11 @@ April 1996. It has celebrated its 25th birthday as a project in February 2020.
The Apache HTTP Server is a project of [The Apache Software
Foundation](http://www.apache.org/).
-# Apache httpd 2.4.55 Released <span>2023-01-17</span>
+# Apache httpd 2.4.56 Released <span>2023-03-07</span>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to
[announce](http://downloads.apache.org/httpd/Announcement2.4.html) the
-release of version 2.4.55 of the Apache HTTP Server ("httpd").
+release of version 2.4.56 of the Apache HTTP Server ("httpd").
This latest release from the 2.4.x stable branch represents the best available
version of Apache HTTP Server.
@@ -27,7 +27,7 @@ version of Apache HTTP Server.
Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.
[Download](download.cgi#apache24) | [ChangeLog for
-2.4.55](http://downloads.apache.org/httpd/CHANGES_2.4.55) | [Complete ChangeLog for
+2.4.56](http://downloads.apache.org/httpd/CHANGES_2.4.56) | [Complete ChangeLog for
2.4](http://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in httpd
2.4](docs/trunk/new_features_2_4.html) {.centered}
diff --git a/content/security/json/CVE-2023-25690.json b/content/security/json/CVE-2023-25690.json
new file mode 100644
index 0000000..fe3035f
--- /dev/null
+++ b/content/security/json/CVE-2023-25690.json
@@ -0,0 +1,103 @@
+{
+ "cveMetadata": {
+ "cveId": "CVE-2023-25690",
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "CNA_private": {
+ "emailed": null,
+ "projecturl": "https://httpd.apache.org/",
+ "owner": "httpd",
+ "userslist": "users@httpd.apache.org",
+ "state": "REVIEW",
+ "todo": [],
+ "type": "unsure"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "title": "HTTP request splitting with mod_rewrite and mod_proxy",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')",
+ "lang": "en",
+ "cweId": "CWE-444",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "affected": [
+ {
+ "vendor": "Apache Software Foundation",
+ "product": "Apache HTTP Server",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "2.4.0",
+ "lessThanOrEqual": "2.4.55",
+ "versionType": "semver"
+ }
+ ],
+ "defaultStatus": "unknown"
+ }
+ ],
+ "descriptions": [
+ {
+ "value": "Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.\n\n\n\n\nConfigurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like:\n\n\n\n\nRew [...]
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "<div>Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.</div><div><br></div><div><div>Configurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example [...]
+ }
+ ]
+ }
+ ],
+ "references": [],
+ "metrics": [
+ {
+ "other": {
+ "type": "Textual description of severity",
+ "content": {
+ "text": "important"
+ }
+ }
+ }
+ ],
+ "timeline": [
+ {
+ "time": "2023-02-02T06:01:00.000Z",
+ "lang": "en",
+ "value": "reported"
+ },
+ {
+ "lang": "eng",
+ "time": "2023-03-07",
+ "value": "2.4.56 released"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Lars Krapf of Adobe",
+ "type": "finder"
+ }
+ ],
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
diff --git a/content/security/json/CVE-2023-27522.json b/content/security/json/CVE-2023-27522.json
new file mode 100644
index 0000000..21a58fa
--- /dev/null
+++ b/content/security/json/CVE-2023-27522.json
@@ -0,0 +1,101 @@
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [
+ {
+ "lessThanOrEqual": "2.4.55",
+ "status": "affected",
+ "version": "2.4.30",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Dimas Fariski Setyawan Putra (nyxsorcerer)"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<div>HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_<code>proxy_uwsgi</code>. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.</div><div>Special characters in the origin response header can truncate/split the response forwarded to the client.<br></div>"
+ }
+ ],
+ "value": "HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.\n\nSpecial characters in the origin response header can truncate/split the response forwarded to the client.\n\n\n"
+ }
+ ],
+ "metrics": [
+ {
+ "other": {
+ "content": {
+ "text": "moderate"
+ },
+ "type": "Textual description of severity"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-444",
+ "description": "CWE-444 Inconsistent Interpretation of HTTP Responses ('HTTP Response Smuggling')",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "references": [
+ {
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
+ }
+ ],
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "en",
+ "time": "2023-01-29T10:42:00.000Z",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2023-03-07",
+ "value": "2.4.56 released"
+ }
+ ],
+ "title": "Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2023-27522",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}