apache: Update to 2.4.56

For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.56

"Changes with Apache 2.4.56

  *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
     HTTP response splitting (cve.mitre.org)
     HTTP Response Smuggling vulnerability in Apache HTTP Server via
     mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
     2.4.30 through 2.4.55.
     Special characters in the origin response header can
     truncate/split the response forwarded to the client.
     Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

  *) SECURITY: CVE-2023-25690: HTTP request splitting with
     mod_rewrite and mod_proxy (cve.mitre.org)
     Some mod_proxy configurations on Apache HTTP Server versions
     2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
     Configurations are affected when mod_proxy is enabled along with
     some form of RewriteRule
     or ProxyPassMatch in which a non-specific pattern matches
     some portion of the user-supplied request-target (URL) data and
     is then
     re-inserted into the proxied request-target using variable
     substitution. For example, something like:
     RewriteEngine on
     RewriteRule "^/here/(.*)" "
     http://example.com:8080/elsewhere?$1"
     http://example.com:8080/elsewhere ; [P]
     ProxyPassReverse /here/  http://example.com:8080/
     http://example.com:8080/
     Request splitting/smuggling could result in bypass of access
     controls in the proxy server, proxying unintended URLs to
     existing origin servers, and cache poisoning.
     Credits: Lars Krapf of Adobe

  *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
     truncated without the initial logfile being truncated.  [Eric Covener]

  *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
     allow connections of any age to be reused. Up to now, a negative value
     was handled as an error when parsing the configuration file.  PR 66421.
     [nailyk <bzapache nailyk.fr>, Christophe Jaillet]

  *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
     of headers. [Ruediger Pluem]

  *) mod_md:
     - Enabling ED25519 support and certificate transparency information when
       building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
     - MDChallengeDns01 can now be configured for individual domains.
       Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
     - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
       teardown not being invoked as it should.
     [Stefan Eissing]

  *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
     reported in access logs and error documents. The processing of the
     reset was correct, only unneccesary reporting was caused.
     [Stefan Eissing]

  *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
     [Yann Ylavic]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/lfs/apache2 b/lfs/apache2
index 7e1ef791166edc1f27eac40093ce81c84ee56244..402aa8567dbd760d801649860eb6dd6a57ea318c 100644 (file)
--- a/lfs/apache2
+++ b/lfs/apache2
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 2.4.55
+VER        = 2.4.56
 
 THISAPP    = httpd-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -45,7 +45,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 98e9ec41aa3ccbbe533672ba6de8421e1f0cb5a4b4a06d0cf26c676945bcd5ebe66a1fd21d941ad8ff2c9183565ce542a5643730bbee5972934008652924945b
+$(DL_FILE)_BLAKE2 = f9aaf5038543aeec79d5b8615b1b2120fe321966280574c685070f2356f8f1dba1d55a9a25f46cb5ecdd6e3f03785fe7a4e1b965506896cb889720728aa18101
 
 install : $(TARGET)