From: Stefan Eissing <icing@apache.org>
Date: Mon, 20 Dec 2021 09:44:06 +0000 (+0000)
Subject: publishing release httpd-2.4.52
X-Git-Tag: 2.4.53-rc1-candidate~117
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f59c8043c4f3764349691436e450bad2c576773d;p=thirdparty%2Fapache%2Fhttpd.git

publishing release httpd-2.4.52

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896180 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 6a5d29d697c..845f6a87818 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,33 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.4.53
+
 Changes with Apache 2.4.52
 
+  *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
+     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
+     earlier (cve.mitre.org)
+     A carefully crafted request body can cause a buffer overflow in
+     the mod_lua multipart parser (r:parsebody() called from Lua
+     scripts).
+     The Apache httpd team is not aware of an exploit for the
+     vulnerabilty though it might be possible to craft one.
+     This issue affects Apache HTTP Server 2.4.51 and earlier.
+     Credits: Chamal
+
+  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
+     forward proxy configurations in Apache HTTP Server 2.4.51 and
+     earlier (cve.mitre.org)
+     A crafted URI sent to httpd configured as a forward proxy
+     (ProxyRequests on) can cause a crash (NULL pointer dereference)
+     or, for configurations mixing forward and reverse proxy
+     declarations, can allow for requests to be directed to a
+     declared Unix Domain Socket endpoint (Server Side Request
+     Forgery).
+     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
+     (included).
+     Credits: 漂亮鼠
+     TengMA(@Te3t123)
+
   *) http: Enforce that fully qualified uri-paths not to be forward-proxied
      have an http(s) scheme, and that the ones to be forward proxied have a
      hostname, per HTTP specifications.  [Ruediger Pluem, Yann Ylavic]
diff --git a/STATUS b/STATUS
index dd941841c52..636c221dc32 100644
--- a/STATUS
+++ b/STATUS
@@ -29,7 +29,8 @@ Release history:
     [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
           while x.{even}.z versions are Stable/GA releases.]
 
-    2.4.52  : In development
+    2.4.53  : In development
+    2.4.52  : Released on December 20, 2021
     2.4.51  : Released on October 07, 2021
     2.4.50  : Released on October 04, 2021
     2.4.49  : Released on September 16, 2021
diff --git a/docs/manual/mod/mod_md.html.en b/docs/manual/mod/mod_md.html.en
index 05af3566518..a2e07db1b7a 100644
--- a/docs/manual/mod/mod_md.html.en
+++ b/docs/manual/mod/mod_md.html.en
@@ -40,7 +40,7 @@
 
         <p>
         This module manages common properties of domains for one or more virtual hosts. 
-        Its serves two main purposes: for one, supervise/renew https: certificates via the 
+        Its serves two main purposes: for one, supervise/renew TLS certificates via the 
         ACME protocol (<a href="https://tools.ietf.org/html/rfc8555">RFC 8555</a>). 
         Certificates will be renewed by the module ahead of their expiration to account 
         for disruption in internet services. There are ways to monitor the status of all 
@@ -272,9 +272,9 @@
                 your server cannot provide the client with the data and the client browser
                 cannot get it as well, since the OCSP service is not responding. 
             </p><p>
-                The implementation in mod_md will have peristed it, load it again after
+                The implementation in mod_md will have persisted it, load it again after
                 restart and have it available for incoming connections. A day or two before
-                this information expires, it will renew it, making it able to copy with
+                this information expires, it will renew it, making it able to cope with
                 a long OCSP service downtime.
             </p><p>
                 Due to backward compatibility, the existing implementation in mod_ssl could
@@ -644,6 +644,7 @@
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.4.52 and later</td></tr>
 </table>
             <p>
                 Configure values for ACME "External Account Binding", a feature
diff --git a/docs/manual/style/version.ent b/docs/manual/style/version.ent
index e1da5bcca9e..6e9f83cf336 100644
--- a/docs/manual/style/version.ent
+++ b/docs/manual/style/version.ent
@@ -19,6 +19,6 @@
 
 <!ENTITY httpd.major "2">
 <!ENTITY httpd.minor "4">
-<!ENTITY httpd.patch "52">
+<!ENTITY httpd.patch "53">
 
 <!ENTITY httpd.docs "2.4">
diff --git a/include/ap_release.h b/include/ap_release.h
index 0fd8a88a110..a425d60731c 100644
--- a/include/ap_release.h
+++ b/include/ap_release.h
@@ -43,7 +43,7 @@
 
 #define AP_SERVER_MAJORVERSION_NUMBER 2
 #define AP_SERVER_MINORVERSION_NUMBER 4
-#define AP_SERVER_PATCHLEVEL_NUMBER   52
+#define AP_SERVER_PATCHLEVEL_NUMBER   53
 #define AP_SERVER_DEVBUILD_BOOLEAN    1
 
 /* Synchronize the above with docs/manual/style/version.ent */