From: Stefan Eissing Date: Mon, 14 Mar 2022 09:51:39 +0000 (+0000) Subject: publishing release httpd-2.4.53 X-Git-Tag: 2.4.54-rc1-candidate~128 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa62afbaec3c4982ccdff7c46e5636a89b79841e;p=thirdparty%2Fapache%2Fhttpd.git publishing release httpd-2.4.53 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898917 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index f391f2bbc92..d42274aa190 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,39 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.54 + Changes with Apache 2.4.53 + *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds + (cve.mitre.org) + Out-of-bounds Write vulnerability in mod_sed of Apache HTTP + Server allows an attacker to overwrite heap memory with possibly + attacker provided data. + This issue affects Apache HTTP Server 2.4 version 2.4.52 and + prior versions. + Credits: Ronald Crane (Zippenhop LLC) + + *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with + very large or unlimited LimitXMLRequestBody (cve.mitre.org) + If LimitXMLRequestBody is set to allow request bodies larger + than 350MB (defaults to 1M) on 32 bit systems an integer + overflow happens which later causes out of bounds writes. + This issue affects Apache HTTP Server 2.4.52 and earlier. + Credits: Anonymous working with Trend Micro Zero Day Initiative + + *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability + in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org) + Apache HTTP Server 2.4.52 and earlier fails to close inbound + connection when errors are encountered discarding the request + body, exposing the server to HTTP Request Smuggling + Credits: James Kettle + + *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of + in r:parsebody (cve.mitre.org) + A carefully crafted request body can cause a read to a random + memory area which could cause the process to crash. + This issue affects Apache HTTP Server 2.4.52 and earlier. + Credits: Chamal De Silva + *) core: Make sure and check that LimitXMLRequestBody fits in system memory. [Ruediger Pluem, Yann Ylavic] diff --git a/NOTICE b/NOTICE index 24c6beefc58..aade8aa1648 100644 --- a/NOTICE +++ b/NOTICE @@ -1,5 +1,5 @@ Apache HTTP Server -Copyright 2021 The Apache Software Foundation. +Copyright 2022 The Apache Software Foundation. This product includes software developed at The Apache Software Foundation (https://www.apache.org/). diff --git a/STATUS b/STATUS index 414e34b5878..cf831b426e7 100644 --- a/STATUS +++ b/STATUS @@ -29,7 +29,8 @@ Release history: [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases, while x.{even}.z versions are Stable/GA releases.] - 2.4.53 : In development + 2.4.54 : In development + 2.4.53 : Released on March 14, 2022 2.4.52 : Released on December 20, 2021 2.4.51 : Released on October 07, 2021 2.4.50 : Released on October 04, 2021 diff --git a/docs/manual/bind.html.de b/docs/manual/bind.html.de index f08c2adeec9..9cce70e99b4 100644 --- a/docs/manual/bind.html.de +++ b/docs/manual/bind.html.de @@ -220,7 +220,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/bind.html'; } })(window, document); //-->