Updates for announcement of

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1890370 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 484877551ed5c60306ed1c922599fba4322270ee..06696f0a2deb8a056fe4f7d9a58bb42be914e77e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,9 @@ Changes with Apache 2.4.49
 
 Changes with Apache 2.4.48
 
+  *) SECURITY: CVE-2021-31618 (cve.mitre.org)
+     mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov]
+
   *) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
      fallback to mod_proxy_http for WebSocket upgrade and tunneling.
      [Yann Ylavic]
@@ -136,6 +139,33 @@ Changes with Apache 2.4.48
 
 Changes with Apache 2.4.47
 
+  *) SECURITY: CVE-2021-30641 (cve.mitre.org)
+     Unexpected <Location> section matching with 'MergeSlashes OFF'
+
+  *) SECURITY: CVE-2020-35452 (cve.mitre.org)
+     mod_auth_digest: possible stack overflow by one nul byte while validating
+     the Digest nonce.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-26691 (cve.mitre.org)
+     mod_session: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service with a malicious backend
+     server and SessionHeader.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-26690 (cve.mitre.org)
+     mod_session: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-13950 (cve.mitre.org)
+     mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-13938 (cve.mitre.org)
+     Windows: Prevent local users from stopping the httpd process [Ivan Zhakov]
+
+  *) SECURITY: CVE-2019-17567 (cve.mitre.org)
+     mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
+     negotiation.  [Yann Ylavic]
+
   *) mod_dav_fs: Improve logging output when failing to open files for
      writing.  PR 64413.  [Bingyu Shen <ahshenbingyu gmail.com>]
 
@@ -195,22 +225,13 @@ Changes with Apache 2.4.47
   *) mod_authnz_ldap: Prevent authentications with empty passwords for the
      initial bind to fail with status 500. [Ruediger Pluem]
 
-  *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
-     the format can't match anyway.  [Yann Ylavic]
-
   *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
      Transfer-Encoding from the client, spooling the request body when needed
      to provide a Content-Length to the backend.  PR 57087.  [Yann Ylavic]
 
-  *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
-     proxy_util.  [Yann Ylavic]
-
   *) mod_proxy: Improve tunneling loop to support half closed connections and
      pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
 
-  *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
-     and switched protocol forwarding.  [Yann Ylavic]
-
   *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
      allowing for (non-)Upgrade negotiation with the origin server.
      [Yann Ylavic]

diff --git a/STATUS b/STATUS
index 942122106bb36970ec419200bfa96147a5b16a3d..78a4c673a2a1ed1bbf635be1992c233f98703010 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -30,7 +30,7 @@ Release history:
           while x.{even}.z versions are Stable/GA releases.]
 
     2.4.49  : In development
-    2.4.48  : Tagged on May 17, 2021
+    2.4.48  : Tagged on May 17, 2021. Released on June 01, 2021.
     2.4.47  : Tagged on April 22, 2021. Distributed on April 28, 2021,
               not announced.
     2.4.46  : Tagged on August 01, 2020. Released on August 07, 2020.