diff options
author | Vincent Jancso <vincent.jancso@outlook.com> | 2023-03-12 16:37:16 +0000 |
---|---|---|
committer | Jochen Neumeister <joneum@FreeBSD.org> | 2023-03-12 16:39:56 +0000 |
commit | 8ec7b3510f11d22eedea008ad340daf96057207f (patch) | |
tree | cf3679a44ef9dac80e89e2705b3a4f7c5b12a825 | |
parent | d1238508aa94b0fe61c1255b232224ad85638028 (diff) | |
download | ports-8ec7b3510f11d22eedea008ad340daf96057207f.tar.gz ports-8ec7b3510f11d22eedea008ad340daf96057207f.zip |
www/apache24: Update to 2.4.56
Changes with Apache 2.4.56
*) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
HTTP response splitting (cve.mitre.org)
HTTP Response Smuggling vulnerability in Apache HTTP Server via
mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
2.4.30 through 2.4.55.
Special characters in the origin response header can
truncate/split the response forwarded to the client.
Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
*) SECURITY: CVE-2023-25690: HTTP request splitting with
mod_rewrite and mod_proxy (cve.mitre.org)
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with
some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and
is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:
RewriteEngine on
RewriteRule "^/here/(.*)" "
http://example.com:8080/elsewhere?$1"
http://example.com:8080/elsewhere ; [P]
ProxyPassReverse /here/ http://example.com:8080/
http://example.com:8080/
Request splitting/smuggling could result in bypass of access
controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning.
Credits: Lars Krapf of Adobe
*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated. [Eric Covener]
*) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
allow connections of any age to be reused. Up to now, a negative value
was handled as an error when parsing the configuration file. PR 66421.
[nailyk <bzapache nailyk.fr>, Christophe Jaillet]
*) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
of headers. [Ruediger Pluem]
*) mod_md:
- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
- MDChallengeDns01 can now be configured for individual domains.
Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
[Stefan Eissing]
*) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
[Stefan Eissing]
*) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
[Yann Ylavic]
PR: 270037
Reported by: Fabian Wenk <fabian@wenks.ch>
Sponsored by: Netzkommune GmbH
-rw-r--r-- | www/apache24/Makefile | 2 | ||||
-rw-r--r-- | www/apache24/distinfo | 6 |
2 files changed, 4 insertions, 4 deletions
diff --git a/www/apache24/Makefile b/www/apache24/Makefile index 1305859d1044..fcc570c74818 100644 --- a/www/apache24/Makefile +++ b/www/apache24/Makefile @@ -1,5 +1,5 @@ PORTNAME= apache24 -PORTVERSION= 2.4.55 +PORTVERSION= 2.4.56 CATEGORIES= www MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} diff --git a/www/apache24/distinfo b/www/apache24/distinfo index 50ec0cfd8ba9..47dd1a9258c2 100644 --- a/www/apache24/distinfo +++ b/www/apache24/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1673987660 -SHA256 (apache24/httpd-2.4.55.tar.bz2) = 11d6ba19e36c0b93ca62e47e6ffc2d2f2884942694bce0f23f39c71bdc5f69ac -SIZE (apache24/httpd-2.4.55.tar.bz2) = 7456187 +TIMESTAMP = 1678526025 +SHA256 (apache24/httpd-2.4.56.tar.bz2) = d8d45f1398ba84edd05bb33ca7593ac2989b17cb9c7a0cafe5442d41afdb2d7c +SIZE (apache24/httpd-2.4.56.tar.bz2) = 7456418 |