From: Eric Covener Date: Thu, 4 Apr 2024 13:52:54 +0000 (+0000) Subject: publishing release httpd-2.4.59 X-Git-Tag: 2.4.60-rc1-candidate~63 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb5978064170282f696c13ee0887dc49f44c1193;p=thirdparty%2Fapache%2Fhttpd.git publishing release httpd-2.4.59 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1916800 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 5c6a28b0675..7b7b04ea388 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,35 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.60 + Changes with Apache 2.4.59 + *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by + memory exhaustion on endless continuation frames (cve.mitre.org) + HTTP/2 incoming headers exceeding the limit are temporarily + buffered in nghttp2 in order to generate an informative HTTP 413 + response. If a client does not stop sending headers, this leads + to memory exhaustion. + Credits: Bartek Nowotarski (https://nowotarski.info/) + + *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response + Splitting in multiple modules (cve.mitre.org) + HTTP Response splitting in multiple modules in Apache HTTP + Server allows an attacker that can inject malicious response + headers into backend applications to cause an HTTP + desynchronization attack. + Users are recommended to upgrade to version 2.4.59, which fixes + this issue. + Credits: Keran Mu, Tsinghua University and Zhongguancun + Laboratory. + + *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response + splitting (cve.mitre.org) + Faulty input validation in the core of Apache allows malicious + or exploitable backend/content generators to split HTTP + responses. + This issue affects Apache HTTP Server: through 2.4.58. + Credits: Orange Tsai (@orange_8361) from DEVCORE + *) mod_deflate: Fixes and better logging for handling various error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton, Eric Norris ] diff --git a/NOTICE b/NOTICE index 4770ce98737..4ac4b6f5a6d 100644 --- a/NOTICE +++ b/NOTICE @@ -1,5 +1,5 @@ Apache HTTP Server -Copyright 2023 The Apache Software Foundation. +Copyright 2024 The Apache Software Foundation. This product includes software developed at The Apache Software Foundation (https://www.apache.org/). diff --git a/STATUS b/STATUS index 4dfd00306fa..effe936cb38 100644 --- a/STATUS +++ b/STATUS @@ -29,7 +29,8 @@ Release history: [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases, while x.{even}.z versions are Stable/GA releases.] - 2.4.59 : In development + 2.4.60 : In development + 2.4.59 : Released on April 04, 2024 2.4.58 : Released on October 19, 2023 2.4.57 : Released on April 06, 2023 2.4.56 : Released on March 07, 2023 diff --git a/docs/manual/style/version.ent b/docs/manual/style/version.ent index c0ad4ed7fb0..45ce7c1db88 100644 --- a/docs/manual/style/version.ent +++ b/docs/manual/style/version.ent @@ -19,6 +19,6 @@ - + diff --git a/include/ap_release.h b/include/ap_release.h index 0b7c32b372a..07b7fa9b3bf 100644 --- a/include/ap_release.h +++ b/include/ap_release.h @@ -43,7 +43,7 @@ #define AP_SERVER_MAJORVERSION_NUMBER 2 #define AP_SERVER_MINORVERSION_NUMBER 4 -#define AP_SERVER_PATCHLEVEL_NUMBER 59 +#define AP_SERVER_PATCHLEVEL_NUMBER 60 #define AP_SERVER_DEVBUILD_BOOLEAN 1 /* Synchronize the above with docs/manual/style/version.ent */