From: Stefan Eissing Date: Thu, 7 Oct 2021 15:22:02 +0000 (+0000) Subject: publishing release httpd-2.4.51 X-Git-Tag: candidate-2.4.52-rc1~114 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae23b720b9501ebe1e831c4b1ffc68aaa65795fd;p=thirdparty%2Fapache%2Fhttpd.git publishing release httpd-2.4.51 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893998 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 093d46f99a6..86dfa3b8c0e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,24 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.52 + Changes with Apache 2.4.51 + *) SECURITY: CVE-2021-42013: Path Traversal and Remote Code + Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete + fix of CVE-2021-41773) (cve.mitre.org) + It was found that the fix for CVE-2021-41773 in Apache HTTP + Server 2.4.50 was insufficient. An attacker could use a path + traversal attack to map URLs to files outside the directories + configured by Alias-like directives. + If files outside of these directories are not protected by the + usual default configuration "require all denied", these requests + can succeed. If CGI scripts are also enabled for these aliased + pathes, this could allow for remote code execution. + This issue only affects Apache 2.4.49 and Apache 2.4.50 and not + earlier versions. + Credits: Reported by Juan Escobar from Dreamlab Technologies, + Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka + *) core: Add ap_unescape_url_ex() for better decoding control, and deprecate unused AP_NORMALIZE_DROP_PARAMETERS flag. [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton] diff --git a/STATUS b/STATUS index b8a055c5704..5b2a19f7821 100644 --- a/STATUS +++ b/STATUS @@ -29,7 +29,8 @@ Release history: [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases, while x.{even}.z versions are Stable/GA releases.] - 2.4.51 : In development + 2.4.52 : In development + 2.4.51 : Released on October 07, 2021 2.4.50 : Released on October 04, 2021 2.4.49 : Released on September 16, 2021 2.4.48 : Tagged on May 17, 2021. Released on June 01, 2021. diff --git a/docs/manual/style/version.ent b/docs/manual/style/version.ent index cd7eb4f4e3b..e1da5bcca9e 100644 --- a/docs/manual/style/version.ent +++ b/docs/manual/style/version.ent @@ -19,6 +19,6 @@ - + diff --git a/include/ap_release.h b/include/ap_release.h index e9eb58ecd98..0fd8a88a110 100644 --- a/include/ap_release.h +++ b/include/ap_release.h @@ -43,7 +43,7 @@ #define AP_SERVER_MAJORVERSION_NUMBER 2 #define AP_SERVER_MINORVERSION_NUMBER 4 -#define AP_SERVER_PATCHLEVEL_NUMBER 51 +#define AP_SERVER_PATCHLEVEL_NUMBER 52 #define AP_SERVER_DEVBUILD_BOOLEAN 1 /* Synchronize the above with docs/manual/style/version.ent */