Метка: httpd

Apache httpd 2.4.66 added to the repository.

Changes:

  *) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
     bypass via AllowOverride FileInfo (cve.mitre.org)
     mod_userdir+suexec bypass via AllowOverride FileInfo
     vulnerability in Apache HTTP Server. Users with access to use
     the RequestHeader directive in htaccess can cause some CGI
     scripts to run under an unexpected userid.
     This issue affects Apache HTTP Server: from 2.4.7 through
     2.4.65.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Mattias Г…sander (UmeГҐ University)

  *) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
     variable override (cve.mitre.org)
     Improper Neutralization of Escape, Meta, or Control Sequences
     vulnerability in Apache HTTP Server through environment
     variables set via the Apache configuration unexpectedly
     superseding variables calculated by the server for CGI programs.
     This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
     Users are recommended to upgrade to version 2.4.66 which fixes
     the issue.
     Credits: Mattias Г…sander (UmeГҐ University)

  *) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
     Windows through UNC SSRF (cve.mitre.org)
     Server-Side Request Forgery (SSRF) vulnerability
     В in Apache HTTP Server on Windows
     with AllowEncodedSlashes OnВ and MergeSlashes OffВ  allows to
     potentially leak NTLM
     hashes to a malicious server via SSRF and malicious requests or
     content
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
     Includes adds query string to #exec cmd=... (cve.mitre.org)
     Apache HTTP Server 2.4.65 and earlier with Server Side Includes
     (SSI) enabled and mod_cgid (but not mod_cgi) passes the
     shell-escaped query string to #exec cmd="..." directives.
     This issue affects Apache HTTP Server before 2.4.66.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Anthony Parfenov (United Rentals, Inc.)

  *) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
     unintended retry intervals (cve.mitre.org)
     An integer overflow in the case of failed ACME certificate
     renewal leads, after a number of failures (~30 days in default
     configurations), to the backoff timer becoming 0. Attempts to
     renew the certificate then are repeated without delays until it
     succeeds.
     This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Aisle Research

  *) mod_http2: Fix handling of 304 responses from mod_cache. PR 69580.
     [Stefan Eissing]

  *) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
     integers, used in push diaries and proxy window size calculations.
     PR69741 [Benjamin P. Kallus]

  *) mod_md: update to version 2.6.5
     - New directive `MDInitialDelay`, controlling how longer to wait after
       a server restart before checking certificates for renewal.
       [Michael Kaufmann]
     - Hardening: when build with OpenSSL older than 1.0.2 or old libressl
       versions, the parsing of ASN.1 time strings did not do a length check.
     - Hardening: when reading back OCSP responses stored in the local JSON
       store, missing 'valid' key led to uninitialized values, resulting in
       wrong refresh behaviour.

  *) mod_md: update to version 2.6.6
     - Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler]
     - Fix reuse of curl easy handles by resetting them. [Michael Kaufmann]

  *) mod_http2: update to version 2.0.35
     New directive `H2MaxStreamErrors` to control how much bad behaviour
     by clients is tolerated before the connection is closed.
     [Stefan Eissing]

  * mod_proxy_http2: add support for ProxyErrorOverride directive. PR69771

  *) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify
     the value set for the TCP_DEFER_ACCEPT socket option on listen sockets.
     [Ruediger Pluem]

  *) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual
     host compatibility policy.  PR 69743.  [Joe Orton]

  *) mod_md: update to version 2.6.2
     - Fix error retry delay calculation to not already doubling the wait
       on the first error.

  *) mod_md: update to version 2.6.1
     - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
       traffic on errored renewals for the ACME CA. This leads to error retries
        of 30s, 1 minute, 2, 4, etc. up to daily attempts.
     - Checking that configuring `MDRetryDelay` will result in a positive
       duration. A delay of 0 is not accepted.
     - Fix a bug in checking Content-Type of responses from the ACME server.
     - Added ACME ARI support (rfc9773) to the module. Enabled by default. New
       directive "MDRenewViaARI on|off" for controlling this.
     - Removing tailscale support. It has not been working for a long time
       as the company decided to change their APIs. Away with the dead code,
       documentation and tests.
     - Fixed a compilation issue with pre-industrial versions of libcurl.

mod_http2 v2.0.35 rpms released and added to all supported platforms.

Changes:

New directive H2MaxStreamErrors to control how much bad behaviour by clients is tolerated before the connection is closed.

mod_http2 v2.0.34 rpms released and added to all supported platforms.

Changes:

Added support for «ProxyErrorOverride» directive in mod_proxy_http2.

Fix a bug in calculating the log2 value of integers, used in push
diaries and proxy window size calculations. Apache PR69741.
[Benjamin P. Kallus]

Apache httpd 2.4.65 added to the repository.

Changes:

  *) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr'
     always evaluates to true in 2.4.64 (cve.mitre.org)
     A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond
     expr ..." tests evaluating as "true".
     Users are recommended to upgrade to version 2.4.65, which fixes
     the issue.

mod_http2 v2.0.33 rpms released

Apache httpd 2.4.64 added to the repository.

mod_http2 v2.0.32 rpms released and added to all supported platforms.

Changes:

The connection window size was set wrong, preventing H2WindowSize to work.

mod_http2 v2.0.31 rpms released and added to all supported platforms.

Changes:

• mod_proxy_http2: revert r1912193 for detecting broken backend connection as this interferes with backend selection who a node is unresponsive. PR69624.
• Fix issue with handling 304 responses from mod_cache. PR69580.

mod_http2 v2.0.30 rpms released and added to all supported platforms.

Changes:

• Fixed bug in handling over long response headers. When the 64 KB limit
  of nghttp2 was exceeded, the request was not reset and the client was
  left hanging, waiting for it. Now the stream is reset.
• Added new directive H2MaxHeaderBlockLen to set the limit on response
  header sizes.
• Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
  connection was reset.

Apache httpd 2.4.63 added to the repository.

Changes:

*) mod_dav: Update redirect-carefully example BrowserMatch config
to match more recent client versions. PR 66148, 67039.
[Michal Maloszewski <michal.maloszewski canonical.com>,
Romain Tartière <romain blogreen.org>]

*) mod_cache_socache: Fix possible crash on error path. PR 69358.
[Ruediger Pluem]

*) mod_ssl: Fail cleanly at startup if OpenSSL initialization fails.
[StephenWall]

*) mod_md: update to version 2.4.31
— Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
— Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
— Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.

*) mod_proxy_balancer: Fix the handling of the stickysession configuration
parameter by the balancer manager. PR 69510
[Yutaka Tokunou <[email protected]>]

*) Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.
Make sure that when ldap searches are too long, we explicitly log the
error. [Graham Leggett]

*) mod_proxy: Honor parameters of ProxyPassMatch workers with substitution
in the host name or port. PR 69233. [Yann Ylavic]

*) mod_log_config: Fix merging for the «LogFormat» directive.
PR 65222. [Michael Kaufmann <mail michael-kaufmann.ch>]

*) mod_lua: Make r.ap_auth_type writable. PR 62497.
[Michael Osipov <michaelo apache.org>]

*) mod_md: update to version 2.4.29
— Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
— Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.

*) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE
without «SSLCryptoDevice» configured. [Joe Orton]

*) mod_authnz_ldap: Fix possible memory corruption if the
AuthLDAPSubGroupAttribute directive is configured. [Joe Orton]

*) mod_proxy_fcgi: Don’t re-encode SCRIPT_FILENAME when set via SetHandler.
PR 69203. [Yann Ylavic]

*) mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs,
including «unix:» ones. PR 69235, PR 69260. [Yann Ylavic, Ruediger Pluem]

*) mod_rewrite: Error out in case a RewriteRule in directory context uses the
proxy, but mod_proxy is not loaded. PR 56264.
[Christophe Jaillet, Michael Streeter <[email protected]>]

*) http: Remove support for Request-Range header sent by Navigator 2-3 and
MSIE 3. [Stefan Fritsch]

*) mod_rewrite: Don’t require [UNC] flag to preserve a leading //
added by applying the perdir prefix to the substitution.
[Ruediger Pluem, Eric Covener]

*) Windows: Restore the ability to «Include» configuration files on UNC
paths. PR 69313 [Eric Covener]

*) mod_proxy: Avoid AH01059 parsing error for SetHandler «unix:» URLs
in <Location> (incomplete fix in 2.4.62). PR 69160. [Yann Ylavic]

*) mod_md: update to version 2.4.28
— When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in ‘md/staging/<domain>’ is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
— Fix certificate retrieval on ACME renewal to not require a ‘Location:’
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let’s Encrypt still supports this,
but other CAs do not. [icing]
— Restore compatibility with OpenSSL < 1.1. [ylavic]

*) mod_tls: removed the experimental module. It now is availble standalone
from https://github.com/icing/mod_tls. The rustls provided API is not
stable and does not align with the httpd release cycle.
[Stefan Eissing]

*) mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.
PR 69197. [Yann Ylavic, Eric Covener]

*) mod_http2: Return connection monitoring to the event MPM when blocking
on client updates. [Stefan Eissing, Yann Ylavic]