-*- coding: utf-8 -*-
+Changes with Apache 2.4.53
+
Changes with Apache 2.4.52
+ *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
+ multipart content in mod_lua of Apache HTTP Server 2.4.51 and
+ earlier (cve.mitre.org)
+ A carefully crafted request body can cause a buffer overflow in
+ the mod_lua multipart parser (r:parsebody() called from Lua
+ scripts).
+ The Apache httpd team is not aware of an exploit for the
+ vulnerabilty though it might be possible to craft one.
+ This issue affects Apache HTTP Server 2.4.51 and earlier.
+ Credits: Chamal
+
+ *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
+ forward proxy configurations in Apache HTTP Server 2.4.51 and
+ earlier (cve.mitre.org)
+ A crafted URI sent to httpd configured as a forward proxy
+ (ProxyRequests on) can cause a crash (NULL pointer dereference)
+ or, for configurations mixing forward and reverse proxy
+ declarations, can allow for requests to be directed to a
+ declared Unix Domain Socket endpoint (Server Side Request
+ Forgery).
+ This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
+ (included).
+ Credits: 漂亮鼠
+ TengMA(@Te3t123)
+
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications. [Ruediger Pluem, Yann Ylavic]
[NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
while x.{even}.z versions are Stable/GA releases.]
- 2.4.52 : In development
+ 2.4.53 : In development
+ 2.4.52 : Released on December 20, 2021
2.4.51 : Released on October 07, 2021
2.4.50 : Released on October 04, 2021
2.4.49 : Released on September 16, 2021
<p>
This module manages common properties of domains for one or more virtual hosts.
- Its serves two main purposes: for one, supervise/renew https: certificates via the
+ Its serves two main purposes: for one, supervise/renew TLS certificates via the
ACME protocol (<a href="https://tools.ietf.org/html/rfc8555">RFC 8555</a>).
Certificates will be renewed by the module ahead of their expiration to account
for disruption in internet services. There are ways to monitor the status of all
your server cannot provide the client with the data and the client browser
cannot get it as well, since the OCSP service is not responding.
</p><p>
- The implementation in mod_md will have peristed it, load it again after
+ The implementation in mod_md will have persisted it, load it again after
restart and have it available for incoming connections. A day or two before
- this information expires, it will renew it, making it able to copy with
+ this information expires, it will renew it, making it able to cope with
a long OCSP service downtime.
</p><p>
Due to backward compatibility, the existing implementation in mod_ssl could
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.4.52 and later</td></tr>
</table>
<p>
Configure values for ACME "External Account Binding", a feature
<!ENTITY httpd.major "2">
<!ENTITY httpd.minor "4">
-<!ENTITY httpd.patch "52">
+<!ENTITY httpd.patch "53">
<!ENTITY httpd.docs "2.4">
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 4
-#define AP_SERVER_PATCHLEVEL_NUMBER 52
+#define AP_SERVER_PATCHLEVEL_NUMBER 53
#define AP_SERVER_DEVBUILD_BOOLEAN 1
/* Synchronize the above with docs/manual/style/version.ent */
projects / thirdparty / apache / httpd.git / commitdiff
