You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2021/12/20 09:44:15 UTC
[httpd-site] branch main updated: publishing release httpd-2.4.52
This is an automated email from the ASF dual-hosted git repository.
icing pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/httpd-site.git
The following commit(s) were added to refs/heads/main by this push:
new 45afe13 publishing release httpd-2.4.52
45afe13 is described below
commit 45afe13aa7813b27b21a99aa08ed9f3ed4e2dbdb
Author: Stefan Eissing <st...@greenbytes.de>
AuthorDate: Mon Dec 20 10:44:07 2021 +0100
publishing release httpd-2.4.52
---
content/doap.rdf | 4 +-
content/download.md | 24 +++----
content/index.md | 6 +-
content/security/json/CVE-2021-44224.json | 106 ++++++++++++++++++++++++++++++
content/security/json/CVE-2021-44790.json | 97 +++++++++++++++++++++++++++
5 files changed, 220 insertions(+), 17 deletions(-)
diff --git a/content/doap.rdf b/content/doap.rdf
index 67addea..2c3cf09 100644
--- a/content/doap.rdf
+++ b/content/doap.rdf
@@ -38,8 +38,8 @@
<release>
<Version>
<name>Recommended current 2.4 release</name>
- <created>2021-10-07</created>
- <revision>2.4.51</revision>
+ <created>2021-12-20</created>
+ <revision>2.4.52</revision>
</Version>
</release>
diff --git a/content/download.md b/content/download.md
index 59d504b..950b865 100644
--- a/content/download.md
+++ b/content/download.md
@@ -19,7 +19,7 @@ Apache httpd for Microsoft Windows is available from
Stable Release - Latest Version:
-- [2.4.51](#apache24) (released 2021-10-07)
+- [2.4.52](#apache24) (released 2021-12-20)
If you are downloading the Win32 distribution, please read these [important
notes]([preferred]/httpd/binaries/win32/README.html).
@@ -41,11 +41,11 @@ type="submit" value="Change"></input></form>
You may also consult the [complete list of
mirrors](//www.apache.org/mirrors/).
-# Apache HTTP Server 2.4.51 (httpd): 2.4.51 is the latest available version <span>2021-10-07</span> {#apache24}
+# Apache HTTP Server 2.4.52 (httpd): 2.4.52 is the latest available version <span>2021-12-20</span> {#apache24}
The Apache HTTP Server Project is pleased to
[announce](//downloads.apache.org/httpd/Announcement2.4.txt) the
-release of version 2.4.51 of the Apache HTTP Server ("Apache" and "httpd").
+release of version 2.4.52 of the Apache HTTP Server ("Apache" and "httpd").
This version of Apache is our latest GA release of the new generation 2.4.x
branch of Apache HTTPD and represents fifteen years of innovation by the
project, and is recommended over all previous releases!
@@ -53,17 +53,17 @@ project, and is recommended over all previous releases!
For details, see the [Official
Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and
the [CHANGES_2.4]([preferred]/httpd/CHANGES_2.4) and
-[CHANGES_2.4.51]([preferred]/httpd/CHANGES_2.4.51) lists.
+[CHANGES_2.4.52]([preferred]/httpd/CHANGES_2.4.52) lists.
-- Source: [httpd-2.4.51.tar.bz2]([preferred]/httpd/httpd-2.4.51.tar.bz2)
-[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.51.tar.bz2.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.51.tar.bz2.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.51.tar.bz2.sha512) ]
+- Source: [httpd-2.4.52.tar.bz2]([preferred]/httpd/httpd-2.4.52.tar.bz2)
+[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.52.tar.bz2.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.52.tar.bz2.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.52.tar.bz2.sha512) ]
-- Source: [httpd-2.4.51.tar.gz]([preferred]/httpd/httpd-2.4.51.tar.gz) [
-[PGP](https://downloads.apache.org/httpd/httpd-2.4.51.tar.gz.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.51.tar.gz.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.51.tar.gz.sha512) ]
+- Source: [httpd-2.4.52.tar.gz]([preferred]/httpd/httpd-2.4.52.tar.gz) [
+[PGP](https://downloads.apache.org/httpd/httpd-2.4.52.tar.gz.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.52.tar.gz.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.52.tar.gz.sha512) ]
- [Binaries]([preferred]/httpd/binaries/)
diff --git a/content/index.md b/content/index.md
index 081d7f4..abddf1e 100644
--- a/content/index.md
+++ b/content/index.md
@@ -14,11 +14,11 @@ April 1996. It has celebrated its 25th birthday as a project in February 2020.
The Apache HTTP Server is a project of [The Apache Software
Foundation](http://www.apache.org/).
-# Apache httpd 2.4.51 Released <span>2021-10-07</span>
+# Apache httpd 2.4.52 Released <span>2021-12-20</span>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to
[announce](http://downloads.apache.org/httpd/Announcement2.4.html) the
-release of version 2.4.51 of the Apache HTTP Server ("httpd").
+release of version 2.4.52 of the Apache HTTP Server ("httpd").
This latest release from the 2.4.x stable branch represents the best available
version of Apache HTTP Server.
@@ -27,7 +27,7 @@ version of Apache HTTP Server.
Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.
[Download](download.cgi#apache24) | [ChangeLog for
-2.4.51](http://downloads.apache.org/httpd/CHANGES_2.4.51) | [Complete ChangeLog for
+2.4.52](http://downloads.apache.org/httpd/CHANGES_2.4.52) | [Complete ChangeLog for
2.4](http://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in httpd
2.4](docs/trunk/new_features_2_4.html) {.centered}
diff --git a/content/security/json/CVE-2021-44224.json b/content/security/json/CVE-2021-44224.json
new file mode 100644
index 0000000..271ea29
--- /dev/null
+++ b/content/security/json/CVE-2021-44224.json
@@ -0,0 +1,106 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-44224",
+ "STATE": "REVIEW",
+ "TITLE": "Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": ">=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.51"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "漂亮鼠"
+ },
+ {
+ "lang": "eng",
+ "value": "TengMA(@Te3t123)"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).\n\nThis issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included)."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "moderate"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-476 NULL Pointer Dereference"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-11-18",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-12-14",
+ "value": "fixed by r1895955+r1896044 in 2.4.x"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-12-20",
+ "value": "2.4.52 released"
+ }
+ ]
+}
diff --git a/content/security/json/CVE-2021-44790.json b/content/security/json/CVE-2021-44790.json
new file mode 100644
index 0000000..adf4faf
--- /dev/null
+++ b/content/security/json/CVE-2021-44790.json
@@ -0,0 +1,97 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-44790",
+ "STATE": "REVIEW",
+ "TITLE": "Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.51"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Chamal"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).\nThe Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one.\n\nThis issue affects Apache HTTP Server 2.4.51 and earlier."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "high"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-787 Out-of-bounds Write"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-12-07",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-12-16",
+ "value": "Fixed by r1896039 in 2.4.x"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-12-20",
+ "value": "2.4.52 released"
+ }
+ ]
+}