-*- coding: utf-8 -*-
+Changes with Apache 2.4.52
+
Changes with Apache 2.4.51
+ *) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
+ Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
+ fix of CVE-2021-41773) (cve.mitre.org)
+ It was found that the fix for CVE-2021-41773 in Apache HTTP
+ Server 2.4.50 was insufficient. An attacker could use a path
+ traversal attack to map URLs to files outside the directories
+ configured by Alias-like directives.
+ If files outside of these directories are not protected by the
+ usual default configuration "require all denied", these requests
+ can succeed. If CGI scripts are also enabled for these aliased
+ pathes, this could allow for remote code execution.
+ This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
+ earlier versions.
+ Credits: Reported by Juan Escobar from Dreamlab Technologies,
+ Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka
+
*) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
unused AP_NORMALIZE_DROP_PARAMETERS flag.
[Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]
[NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
while x.{even}.z versions are Stable/GA releases.]
- 2.4.51 : In development
+ 2.4.52 : In development
+ 2.4.51 : Released on October 07, 2021
2.4.50 : Released on October 04, 2021
2.4.49 : Released on September 16, 2021
2.4.48 : Tagged on May 17, 2021. Released on June 01, 2021.
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 4
-#define AP_SERVER_PATCHLEVEL_NUMBER 51
+#define AP_SERVER_PATCHLEVEL_NUMBER 52
#define AP_SERVER_DEVBUILD_BOOLEAN 1
/* Synchronize the above with docs/manual/style/version.ent */
projects / thirdparty / apache / httpd.git / commitdiff
