publishing release httpd-2.4.59

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1916800 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 5c6a28b0675aa152d62b7ddcc7fb49a1e6393807..7b7b04ea388a7b5189d3808e012014b3b58b01ef 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,35 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.4.60
+
 Changes with Apache 2.4.59
 
+  *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
+     memory exhaustion on endless continuation frames (cve.mitre.org)
+     HTTP/2 incoming headers exceeding the limit are temporarily
+     buffered in nghttp2 in order to generate an informative HTTP 413
+     response. If a client does not stop sending headers, this leads
+     to memory exhaustion.
+     Credits: Bartek Nowotarski (https://nowotarski.info/)
+
+  *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
+     Splitting in multiple modules (cve.mitre.org)
+     HTTP Response splitting in multiple modules in Apache HTTP
+     Server allows an attacker that can inject malicious response
+     headers into backend applications to cause an HTTP
+     desynchronization attack.
+     Users are recommended to upgrade to version 2.4.59, which fixes
+     this issue.
+     Credits: Keran Mu, Tsinghua University and Zhongguancun
+     Laboratory.
+
+  *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
+     splitting (cve.mitre.org)
+     Faulty input validation in the core of Apache allows malicious
+     or exploitable backend/content generators to split HTTP
+     responses.
+     This issue affects Apache HTTP Server: through 2.4.58.
+     Credits: Orange Tsai (@orange_8361) from DEVCORE
+
   *) mod_deflate: Fixes and better logging for handling various
      error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
      Eric Norris <enorris etsy.com>]

diff --git a/NOTICE b/NOTICE
index 4770ce987373674f31f7147f8891090f6baa3ea5..4ac4b6f5a6da4f5fdf8c9aca0336e5312e8ea3af 100644 (file)
--- a/NOTICE
+++ b/NOTICE
@@ -1,5 +1,5 @@
 Apache HTTP Server
-Copyright 2023 The Apache Software Foundation.
+Copyright 2024 The Apache Software Foundation.
 
 This product includes software developed at
 The Apache Software Foundation (https://www.apache.org/).

diff --git a/STATUS b/STATUS
index 4dfd00306fa46ee77c846389de1c13f2a18bd268..effe936cb38c9348a93002e1e4042d22ae12749e 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -29,7 +29,8 @@ Release history:
     [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
           while x.{even}.z versions are Stable/GA releases.]
 
-    2.4.59  : In development
+    2.4.60  : In development
+    2.4.59  : Released on April 04, 2024
     2.4.58  : Released on October 19, 2023
     2.4.57  : Released on April 06, 2023
     2.4.56  : Released on March 07, 2023

diff --git a/docs/manual/style/version.ent b/docs/manual/style/version.ent
index c0ad4ed7fb0326fae35bce3405348eff892cdc5b..45ce7c1db8859c3645fe5593f6150ec63dd64503 100644 (file)
--- a/docs/manual/style/version.ent
+++ b/docs/manual/style/version.ent
@@ -19,6 +19,6 @@
 
 <!ENTITY httpd.major "2">
 <!ENTITY httpd.minor "4">
-<!ENTITY httpd.patch "59">
+<!ENTITY httpd.patch "60">
 
 <!ENTITY httpd.docs "2.4">

diff --git a/include/ap_release.h b/include/ap_release.h
index 0b7c32b372ac7a7d2ebbac71f4b1547b37c7d15d..07b7fa9b3bf41048040f764a99d53f720e12f677 100644 (file)
--- a/include/ap_release.h
+++ b/include/ap_release.h
@@ -43,7 +43,7 @@
 
 #define AP_SERVER_MAJORVERSION_NUMBER 2
 #define AP_SERVER_MINORVERSION_NUMBER 4
-#define AP_SERVER_PATCHLEVEL_NUMBER   59
+#define AP_SERVER_PATCHLEVEL_NUMBER   60
 #define AP_SERVER_DEVBUILD_BOOLEAN    1
 
 /* Synchronize the above with docs/manual/style/version.ent */