You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2022/03/14 09:51:48 UTC
[httpd-site] branch main updated: publishing release httpd-2.4.53
This is an automated email from the ASF dual-hosted git repository.
icing pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/httpd-site.git
The following commit(s) were added to refs/heads/main by this push:
new 5912ee2 publishing release httpd-2.4.53
5912ee2 is described below
commit 5912ee2bcc5b145694862a4d9a5220c84ce6373d
Author: Stefan Eissing <st...@greenbytes.de>
AuthorDate: Mon Mar 14 10:51:43 2022 +0100
publishing release httpd-2.4.53
---
content/doap.rdf | 4 +-
content/download.md | 24 +++----
content/index.md | 6 +-
content/security/json/CVE-2022-22719.json | 92 +++++++++++++++++++++++++++
content/security/json/CVE-2022-22720.json | 87 ++++++++++++++++++++++++++
content/security/json/CVE-2022-22721.json | 92 +++++++++++++++++++++++++++
content/security/json/CVE-2022-23943.json | 100 ++++++++++++++++++++++++++++++
7 files changed, 388 insertions(+), 17 deletions(-)
diff --git a/content/doap.rdf b/content/doap.rdf
index 2c3cf09..b9c7426 100644
--- a/content/doap.rdf
+++ b/content/doap.rdf
@@ -38,8 +38,8 @@
<release>
<Version>
<name>Recommended current 2.4 release</name>
- <created>2021-12-20</created>
- <revision>2.4.52</revision>
+ <created>2022-03-14</created>
+ <revision>2.4.53</revision>
</Version>
</release>
diff --git a/content/download.md b/content/download.md
index 690a1ce..a05dca9 100644
--- a/content/download.md
+++ b/content/download.md
@@ -19,16 +19,16 @@ Apache httpd for Microsoft Windows is available from
Stable Release - Latest Version:
-- [2.4.52](#apache24) (released 2021-12-20)
+- [2.4.53](#apache24) (released 2022-03-14)
If you are downloading the Win32 distribution, please read these [important
notes]([preferred]/httpd/binaries/win32/README.html).
-# Apache HTTP Server 2.4.52 (httpd): 2.4.52 is the latest available version <span>2021-12-20</span> {#apache24}
+# Apache HTTP Server 2.4.53 (httpd): 2.4.53 is the latest available version <span>2022-03-14</span> {#apache24}
The Apache HTTP Server Project is pleased to
[announce](//downloads.apache.org/httpd/Announcement2.4.txt) the
-release of version 2.4.52 of the Apache HTTP Server ("Apache" and "httpd").
+release of version 2.4.53 of the Apache HTTP Server ("Apache" and "httpd").
This version of Apache is our latest GA release of the new generation 2.4.x
branch of Apache HTTPD and represents fifteen years of innovation by the
project, and is recommended over all previous releases!
@@ -36,17 +36,17 @@ project, and is recommended over all previous releases!
For details, see the [Official
Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and
the [CHANGES_2.4]([preferred]/httpd/CHANGES_2.4) and
-[CHANGES_2.4.52]([preferred]/httpd/CHANGES_2.4.52) lists.
+[CHANGES_2.4.53]([preferred]/httpd/CHANGES_2.4.53) lists.
-- Source: [httpd-2.4.52.tar.bz2]([preferred]/httpd/httpd-2.4.52.tar.bz2)
-[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.52.tar.bz2.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.52.tar.bz2.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.52.tar.bz2.sha512) ]
+- Source: [httpd-2.4.53.tar.bz2]([preferred]/httpd/httpd-2.4.53.tar.bz2)
+[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.53.tar.bz2.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.53.tar.bz2.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.53.tar.bz2.sha512) ]
-- Source: [httpd-2.4.52.tar.gz]([preferred]/httpd/httpd-2.4.52.tar.gz) [
-[PGP](https://downloads.apache.org/httpd/httpd-2.4.52.tar.gz.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.52.tar.gz.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.52.tar.gz.sha512) ]
+- Source: [httpd-2.4.53.tar.gz]([preferred]/httpd/httpd-2.4.53.tar.gz) [
+[PGP](https://downloads.apache.org/httpd/httpd-2.4.53.tar.gz.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.53.tar.gz.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.53.tar.gz.sha512) ]
- [Binaries]([preferred]/httpd/binaries/)
diff --git a/content/index.md b/content/index.md
index abddf1e..bc3f0d9 100644
--- a/content/index.md
+++ b/content/index.md
@@ -14,11 +14,11 @@ April 1996. It has celebrated its 25th birthday as a project in February 2020.
The Apache HTTP Server is a project of [The Apache Software
Foundation](http://www.apache.org/).
-# Apache httpd 2.4.52 Released <span>2021-12-20</span>
+# Apache httpd 2.4.53 Released <span>2022-03-14</span>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to
[announce](http://downloads.apache.org/httpd/Announcement2.4.html) the
-release of version 2.4.52 of the Apache HTTP Server ("httpd").
+release of version 2.4.53 of the Apache HTTP Server ("httpd").
This latest release from the 2.4.x stable branch represents the best available
version of Apache HTTP Server.
@@ -27,7 +27,7 @@ version of Apache HTTP Server.
Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.
[Download](download.cgi#apache24) | [ChangeLog for
-2.4.52](http://downloads.apache.org/httpd/CHANGES_2.4.52) | [Complete ChangeLog for
+2.4.53](http://downloads.apache.org/httpd/CHANGES_2.4.53) | [Complete ChangeLog for
2.4](http://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in httpd
2.4](docs/trunk/new_features_2_4.html) {.centered}
diff --git a/content/security/json/CVE-2022-22719.json b/content/security/json/CVE-2022-22719.json
new file mode 100644
index 0000000..9774cea
--- /dev/null
+++ b/content/security/json/CVE-2022-22719.json
@@ -0,0 +1,92 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2022-22719",
+ "STATE": "REVIEW",
+ "TITLE": "mod_lua Use of uninitialized value of in r:parsebody"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.52"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Chamal De Silva"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.\n\nThis issue affects Apache HTTP Server 2.4.52 and earlier."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "moderate"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-665 Improper Initialization"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-12-18",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2022-03-14",
+ "value": "2.4.53 released"
+ }
+ ]
+}
diff --git a/content/security/json/CVE-2022-22720.json b/content/security/json/CVE-2022-22720.json
new file mode 100644
index 0000000..d137392
--- /dev/null
+++ b/content/security/json/CVE-2022-22720.json
@@ -0,0 +1,87 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2022-22720",
+ "STATE": "REVIEW",
+ "TITLE": "HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.52"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "James Kettle <james.kettle portswigger.net>"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "important"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2022-03-14",
+ "value": "2.4.53 released"
+ }
+ ]
+}
diff --git a/content/security/json/CVE-2022-22721.json b/content/security/json/CVE-2022-22721.json
new file mode 100644
index 0000000..b944f38
--- /dev/null
+++ b/content/security/json/CVE-2022-22721.json
@@ -0,0 +1,92 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2022-22721",
+ "STATE": "REVIEW",
+ "TITLE": "core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.52"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Anonymous working with Trend Micro Zero Day Initiative"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.\n\nThis issue affects Apache HTTP Server 2.4.52 and earlier."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-190 Integer Overflow or Wraparound"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-12-16",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2022-03-14",
+ "value": "2.4.53 released"
+ }
+ ]
+}
diff --git a/content/security/json/CVE-2022-23943.json b/content/security/json/CVE-2022-23943.json
new file mode 100644
index 0000000..ed1eec9
--- /dev/null
+++ b/content/security/json/CVE-2022-23943.json
@@ -0,0 +1,100 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2022-23943",
+ "STATE": "REVIEW",
+ "TITLE": "mod_sed: Read/write beyond bounds"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "2.4",
+ "version_value": "2.4.52"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Ronald Crane (Zippenhop LLC)"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.\n\nThis issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "important"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-787 Out-of-bounds Write"
+ }
+ ]
+ },
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-190 Integer Overflow or Wraparound"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2022-01-13",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2022-03-14",
+ "value": "2.4.53 released"
+ }
+ ]
+}