From: Joe Orton Date: Mon, 18 May 2026 15:29:03 +0000 (+0000) Subject: * SECURITY.md: Tweak wording on scope, expand section X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c86996676ee93ad0decb8273e3d0c3812fd7e4f0;p=thirdparty%2Fapache%2Fhttpd.git * SECURITY.md: Tweak wording on scope, expand section on trusted services. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1934356 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/SECURITY.md b/SECURITY.md index d0bd1bfee7..645c5ee780 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -27,8 +27,9 @@ Vulnerabilities](http://httpd.apache.org/security/vulnerabilities_24.html) If an issue is reported against an aspect of the security model which is not documented here, it MUST be accompanied by a clear description of that aspect the model, showing why a trust boundary exists and how -it is violated. It is helpful to use references to documentation -and/or demonstrate common usage patterns. +it is violated. It is helpful to use references to vulnerabilities +previously disclosed by this project, the httpd documentation +(see docs/manual), and to demonstrate common usage patterns. Any security vulnerability SHOULD be reproducible: @@ -114,13 +115,20 @@ authors have equivalent privileges to the less-privileged server user. Many configurations depend on backend servers or services which are trusted entities. -* Backend servers accessed in a proxy configuration should not be able - to influence HTTP protocol framing logic in the frontend (client) - ("response splitting" attacks). +Services used for authentication or caching privileged/protected data +are trusted not to attack the web server. Examples of trusted services +include, but are not limited to: -* Services used for authentication or caching privileged/protected - data (Redis/Valkey caches, database or LDAP servers) are trusted not - to attack the web server. +* Database or LDAP servers used for authentication via `mod_ldap` or `mod_dbd` +* Redis/Valkey, or Memcache servers used for the `mod_ssl` session cache +* OCSP servers used for client certificate verification, or server certificate "stapling" + +Backend servers are those accessed in a reverse proxy (or gateway) +configuration, typically via HTTP or AJP (see +https://httpd.apache.org/docs/current/mod/mod_proxy.html#forwardreverse). +Backend servers are trusted to provide content but SHOULD NOT be able +to influence HTTP protocol framing logic in the frontend (client) +communication (so called "response splitting" attacks). Example vulnerabilities which violated the model: CVE-2026-33523, CVE-2024-42516.