You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2021/10/07 15:22:02 UTC
svn commit: r1893998 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS
docs/manual/style/version.ent include/ap_release.h
Author: icing
Date: Thu Oct 7 15:22:02 2021
New Revision: 1893998
URL: http://svn.apache.org/viewvc?rev=1893998&view=rev
Log:
publishing release httpd-2.4.51
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/docs/manual/style/version.ent
httpd/httpd/branches/2.4.x/include/ap_release.h
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1893998&r1=1893997&r2=1893998&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Oct 7 15:22:02 2021
@@ -1,6 +1,24 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.52
+
Changes with Apache 2.4.51
+ *) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
+ Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
+ fix of CVE-2021-41773) (cve.mitre.org)
+ It was found that the fix for CVE-2021-41773 in Apache HTTP
+ Server 2.4.50 was insufficient. An attacker could use a path
+ traversal attack to map URLs to files outside the directories
+ configured by Alias-like directives.
+ If files outside of these directories are not protected by the
+ usual default configuration "require all denied", these requests
+ can succeed. If CGI scripts are also enabled for these aliased
+ pathes, this could allow for remote code execution.
+ This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
+ earlier versions.
+ Credits: Reported by Juan Escobar from Dreamlab Technologies,
+ Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka
+
*) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
unused AP_NORMALIZE_DROP_PARAMETERS flag.
[Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1893998&r1=1893997&r2=1893998&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Thu Oct 7 15:22:02 2021
@@ -29,7 +29,8 @@ Release history:
[NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
while x.{even}.z versions are Stable/GA releases.]
- 2.4.51 : In development
+ 2.4.52 : In development
+ 2.4.51 : Released on October 07, 2021
2.4.50 : Released on October 04, 2021
2.4.49 : Released on September 16, 2021
2.4.48 : Tagged on May 17, 2021. Released on June 01, 2021.
Modified: httpd/httpd/branches/2.4.x/docs/manual/style/version.ent
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/style/version.ent?rev=1893998&r1=1893997&r2=1893998&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/style/version.ent (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/style/version.ent Thu Oct 7 15:22:02 2021
@@ -19,6 +19,6 @@
<!ENTITY httpd.major "2">
<!ENTITY httpd.minor "4">
-<!ENTITY httpd.patch "50">
+<!ENTITY httpd.patch "52">
<!ENTITY httpd.docs "2.4">
Modified: httpd/httpd/branches/2.4.x/include/ap_release.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/ap_release.h?rev=1893998&r1=1893997&r2=1893998&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/include/ap_release.h (original)
+++ httpd/httpd/branches/2.4.x/include/ap_release.h Thu Oct 7 15:22:02 2021
@@ -43,7 +43,7 @@
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 4
-#define AP_SERVER_PATCHLEVEL_NUMBER 51
+#define AP_SERVER_PATCHLEVEL_NUMBER 52
#define AP_SERVER_DEVBUILD_BOOLEAN 1
/* Synchronize the above with docs/manual/style/version.ent */