You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2023/03/20 13:40:12 UTC
svn commit: r60725 - in /release/httpd: CHANGES_2.4 CHANGES_2.4.56
Author: rjung
Date: Mon Mar 20 13:40:12 2023
New Revision: 60725
Log:
Publish CHANGES updates for previous releases.
Modified:
release/httpd/CHANGES_2.4
release/httpd/CHANGES_2.4.56
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Mon Mar 20 13:40:12 2023
@@ -15,18 +15,13 @@ Changes with Apache 2.4.56
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with
- some form of RewriteRule
- or ProxyPassMatch in which a non-specific pattern matches
- some portion of the user-supplied request-target (URL) data and
- is then
- re-inserted into the proxied request-target using variable
- substitution. For example, something like:
- RewriteEngine on
- RewriteRule "^/here/(.*)" "
- http://example.com:8080/elsewhere?$1"
- http://example.com:8080/elsewhere ; [P]
- ProxyPassReverse /here/ http://example.com:8080/
- http://example.com:8080/
+ some form of RewriteRule or ProxyPassMatch in which a non-specific
+ pattern matches some portion of the user-supplied request-target (URL)
+ data and is then re-inserted into the proxied request-target
+ using variable substitution. For example, something like:
+ RewriteEngine on
+ RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
+ ProxyPassReverse /here/ http://example.com:8080/
Request splitting/smuggling could result in bypass of access
controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning.
@@ -350,6 +345,9 @@ Changes with Apache 2.4.54
domain names in the *.ts.net space.
[Stefan Eissing]
+ *) core: Change default value of LimitRequestBody from 0 (unlimited)
+ to 1GB. [Eric Covener]
+
Changes with Apache 2.4.53
*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
Modified: release/httpd/CHANGES_2.4.56
==============================================================================
--- release/httpd/CHANGES_2.4.56 (original)
+++ release/httpd/CHANGES_2.4.56 Mon Mar 20 13:40:12 2023
@@ -15,18 +15,13 @@ Changes with Apache 2.4.56
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with
- some form of RewriteRule
- or ProxyPassMatch in which a non-specific pattern matches
- some portion of the user-supplied request-target (URL) data and
- is then
- re-inserted into the proxied request-target using variable
- substitution. For example, something like:
- RewriteEngine on
- RewriteRule "^/here/(.*)" "
- http://example.com:8080/elsewhere?$1"
- http://example.com:8080/elsewhere ; [P]
- ProxyPassReverse /here/ http://example.com:8080/
- http://example.com:8080/
+ some form of RewriteRule or ProxyPassMatch in which a non-specific
+ pattern matches some portion of the user-supplied request-target (URL)
+ data and is then re-inserted into the proxied request-target
+ using variable substitution. For example, something like:
+ RewriteEngine on
+ RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
+ ProxyPassReverse /here/ http://example.com:8080/
Request splitting/smuggling could result in bypass of access
controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning.