From: Eric Covener <covener@apache.org>
Date: Tue, 7 Mar 2023 12:50:52 +0000 (+0000)
Subject: publishing release httpd-2.4.56
X-Git-Tag: 2.4.57-rc1-candidate~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07fa049a0b917dff2999cddeb7d071f330d6450d;p=thirdparty%2Fapache%2Fhttpd.git

publishing release httpd-2.4.56

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908159 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 16f8f55dd2d..db8f0443eae 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,39 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.4.57
+
 Changes with Apache 2.4.56
 
+  *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
+     HTTP response splitting (cve.mitre.org)
+     HTTP Response Smuggling vulnerability in Apache HTTP Server via
+     mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
+     2.4.30 through 2.4.55.
+     Special characters in the origin response header can
+     truncate/split the response forwarded to the client.
+     Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
+
+  *) SECURITY: CVE-2023-25690: HTTP request splitting with
+     mod_rewrite and mod_proxy (cve.mitre.org)
+     Some mod_proxy configurations on Apache HTTP Server versions
+     2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
+     Configurations are affected when mod_proxy is enabled along with
+     some form of RewriteRule
+     or ProxyPassMatch in which a non-specific pattern matches
+     some portion of the user-supplied request-target (URL) data and
+     is then
+     re-inserted into the proxied request-target using variable
+     substitution. For example, something like:
+     RewriteEngine on
+     RewriteRule "^/here/(.*)" "
+     http://example.com:8080/elsewhere?$1"
+     http://example.com:8080/elsewhere ; [P]
+     ProxyPassReverse /here/  http://example.com:8080/
+     http://example.com:8080/
+     Request splitting/smuggling could result in bypass of access
+     controls in the proxy server, proxying unintended URLs to
+     existing origin servers, and cache poisoning.
+     Credits: Lars Krapf of Adobe
+
   *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
      truncated without the initial logfile being truncated.  [Eric Covener]
 
diff --git a/STATUS b/STATUS
index a19a24d3124..c9903480373 100644
--- a/STATUS
+++ b/STATUS
@@ -29,7 +29,8 @@ Release history:
     [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
           while x.{even}.z versions are Stable/GA releases.]
 
-    2.4.56  : In development
+    2.4.57  : In development
+    2.4.56  : Released on March 07, 2023
     2.4.55  : Released on January 17, 2023
     2.4.54  : Released on June 08, 2022
     2.4.53  : Released on March 14, 2022
diff --git a/docs/manual/mod/mod_md.html.fr.utf8 b/docs/manual/mod/mod_md.html.fr.utf8
index 97f26f7a8ea..737cfbe77ad 100644
--- a/docs/manual/mod/mod_md.html.fr.utf8
+++ b/docs/manual/mod/mod_md.html.fr.utf8
@@ -29,6 +29,8 @@
 <p><span>Langues Disponibles: </span><a href="../en/mod/mod_md.html" hreflang="en" rel="alternate" title="English">&nbsp;en&nbsp;</a> |
 <a href="../fr/mod/mod_md.html" title="Français">&nbsp;fr&nbsp;</a></p>
 </div>
+<div class="outofdate">Cette traduction peut être périmée. Vérifiez la version
+            anglaise pour les changements récents.</div>
 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Gestion des domaines au sein des serveurs virtuels et obtention
     de certificats via le protocole ACME
     </td></tr>
diff --git a/docs/manual/programs/rotatelogs.html.fr.utf8 b/docs/manual/programs/rotatelogs.html.fr.utf8
index e73487f958d..c5f8ee1da93 100644
--- a/docs/manual/programs/rotatelogs.html.fr.utf8
+++ b/docs/manual/programs/rotatelogs.html.fr.utf8
@@ -30,6 +30,8 @@
 <a href="../ko/programs/rotatelogs.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
 <a href="../tr/programs/rotatelogs.html" hreflang="tr" rel="alternate" title="Türkçe">&nbsp;tr&nbsp;</a></p>
 </div>
+<div class="outofdate">Cette traduction peut être périmée. Vérifiez la version
+            anglaise pour les changements récents.</div>
 
      <p><code>rotatelogs</code> est un programme simple à utiliser en
      conjonction avec la fonctionnalité d'Apache de redirection dans un
diff --git a/docs/manual/style/version.ent b/docs/manual/style/version.ent
index 29e0dfc7512..30ec0ddd9c0 100644
--- a/docs/manual/style/version.ent
+++ b/docs/manual/style/version.ent
@@ -19,6 +19,6 @@
 
 <!ENTITY httpd.major "2">
 <!ENTITY httpd.minor "4">
-<!ENTITY httpd.patch "56">
+<!ENTITY httpd.patch "57">
 
 <!ENTITY httpd.docs "2.4">
diff --git a/include/ap_release.h b/include/ap_release.h
index c643dad8cc2..ef0a3d57332 100644
--- a/include/ap_release.h
+++ b/include/ap_release.h
@@ -43,7 +43,7 @@
 
 #define AP_SERVER_MAJORVERSION_NUMBER 2
 #define AP_SERVER_MINORVERSION_NUMBER 4
-#define AP_SERVER_PATCHLEVEL_NUMBER   56
+#define AP_SERVER_PATCHLEVEL_NUMBER   57
 #define AP_SERVER_DEVBUILD_BOOLEAN    1
 
 /* Synchronize the above with docs/manual/style/version.ent */