From cvs-return-68406-archive-asf-public=cust-asf.ponee.io@httpd.apache.org Tue Jun 1 20:04:28 2021 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) by mx-eu-01.ponee.io (Postfix) with ESMTPS id 3376A180636 for ; Tue, 1 Jun 2021 22:04:28 +0200 (CEST) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with SMTP id 5FBFE3F7D9 for ; Tue, 1 Jun 2021 20:04:27 +0000 (UTC) Received: (qmail 70126 invoked by uid 500); 1 Jun 2021 20:04:26 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 70117 invoked by uid 99); 1 Jun 2021 20:04:26 -0000 Received: from Unknown (HELO svn01-us-east.apache.org) (13.90.137.153) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Jun 2021 20:04:26 +0000 Received: from svn01-us-east.apache.org (svn01-us-east.apache.org [127.0.0.1]) by svn01-us-east.apache.org (ASF Mail Server at svn01-us-east.apache.org) with ESMTP id 90B8E17B607 for ; Tue, 1 Jun 2021 20:04:26 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r48071 - in /release/httpd: Announcement2.4.html Announcement2.4.txt CHANGES_2.4 CHANGES_2.4.48 CURRENT-IS-2.4.46 CURRENT-IS-2.4.48 Date: Tue, 01 Jun 2021 20:04:26 -0000 To: cvs@httpd.apache.org From: jailletc36@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20210601200426.90B8E17B607@svn01-us-east.apache.org> Author: jailletc36 Date: Tue Jun 1 20:04:26 2021 New Revision: 48071 Log: Updates for announcement of Added: release/httpd/CURRENT-IS-2.4.48 Removed: release/httpd/CURRENT-IS-2.4.46 Modified: release/httpd/Announcement2.4.html release/httpd/Announcement2.4.txt release/httpd/CHANGES_2.4 release/httpd/CHANGES_2.4.48 Modified: release/httpd/Announcement2.4.html ============================================================================== --- release/httpd/Announcement2.4.html (original) +++ release/httpd/Announcement2.4.html Tue Jun 1 20:04:26 2021 @@ -52,7 +52,7 @@ Apache HTTP Server 2.4.48 Released

- September 21, 2018 + June 01, 2021

The Apache Software Foundation and the Apache HTTP Server Project are @@ -62,7 +62,7 @@ release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is - a feature and bug fix release. + a security, feature and bug fix release.

We consider this release to be the best version of Apache available, and Modified: release/httpd/Announcement2.4.txt ============================================================================== --- release/httpd/Announcement2.4.txt (original) +++ release/httpd/Announcement2.4.txt Tue Jun 1 20:04:26 2021 @@ -1,6 +1,6 @@ Apache HTTP Server 2.4.48 Released - September 21, 2018 + June 01, 2021 The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.48 of the Apache @@ -8,7 +8,7 @@ release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is - a feature and bug fix release. + a security, feature and bug fix release. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Modified: release/httpd/CHANGES_2.4 ============================================================================== --- release/httpd/CHANGES_2.4 (original) +++ release/httpd/CHANGES_2.4 Tue Jun 1 20:04:26 2021 @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.48 + *) SECURITY: CVE-2021-31618 (cve.mitre.org) + mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov] + *) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the fallback to mod_proxy_http for WebSocket upgrade and tunneling. [Yann Ylavic] @@ -126,6 +129,33 @@ Changes with Apache 2.4.48 Changes with Apache 2.4.47 + *) SECURITY: CVE-2021-30641 (cve.mitre.org) + Unexpected section matching with 'MergeSlashes OFF' + + *) SECURITY: CVE-2020-35452 (cve.mitre.org) + mod_auth_digest: possible stack overflow by one nul byte while validating + the Digest nonce. [Yann Ylavic] + + *) SECURITY: CVE-2020-26691 (cve.mitre.org) + mod_session: Fix possible crash due to NULL pointer dereference, which + could be used to cause a Denial of Service with a malicious backend + server and SessionHeader. [Yann Ylavic] + + *) SECURITY: CVE-2020-26690 (cve.mitre.org) + mod_session: Fix possible crash due to NULL pointer dereference, which + could be used to cause a Denial of Service. [Yann Ylavic] + + *) SECURITY: CVE-2020-13950 (cve.mitre.org) + mod_proxy_http: Fix possible crash due to NULL pointer dereference, which + could be used to cause a Denial of Service. [Yann Ylavic] + + *) SECURITY: CVE-2020-13938 (cve.mitre.org) + Windows: Prevent local users from stopping the httpd process [Ivan Zhakov] + + *) SECURITY: CVE-2019-17567 (cve.mitre.org) + mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end + negotiation. [Yann Ylavic] + *) mod_dav_fs: Improve logging output when failing to open files for writing. PR 64413. [Bingyu Shen ] @@ -185,22 +215,13 @@ Changes with Apache 2.4.47 *) mod_authnz_ldap: Prevent authentications with empty passwords for the initial bind to fail with status 500. [Ruediger Pluem] - *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if - the format can't match anyway. [Yann Ylavic] - *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked Transfer-Encoding from the client, spooling the request body when needed to provide a Content-Length to the backend. PR 57087. [Yann Ylavic] - *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in - proxy_util. [Yann Ylavic] - *) mod_proxy: Improve tunneling loop to support half closed connections and pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic] - *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response - and switched protocol forwarding. [Yann Ylavic] - *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http, allowing for (non-)Upgrade negotiation with the origin server. [Yann Ylavic] Modified: release/httpd/CHANGES_2.4.48 ============================================================================== --- release/httpd/CHANGES_2.4.48 (original) +++ release/httpd/CHANGES_2.4.48 Tue Jun 1 20:04:26 2021 @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.48 + *) SECURITY: CVE-2021-31618 (cve.mitre.org) + mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov] + *) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the fallback to mod_proxy_http for WebSocket upgrade and tunneling. [Yann Ylavic] @@ -126,6 +129,33 @@ Changes with Apache 2.4.48 Changes with Apache 2.4.47 + *) SECURITY: CVE-2021-30641 (cve.mitre.org) + Unexpected section matching with 'MergeSlashes OFF' + + *) SECURITY: CVE-2020-35452 (cve.mitre.org) + mod_auth_digest: possible stack overflow by one nul byte while validating + the Digest nonce. [Yann Ylavic] + + *) SECURITY: CVE-2020-26691 (cve.mitre.org) + mod_session: Fix possible crash due to NULL pointer dereference, which + could be used to cause a Denial of Service with a malicious backend + server and SessionHeader. [Yann Ylavic] + + *) SECURITY: CVE-2020-26690 (cve.mitre.org) + mod_session: Fix possible crash due to NULL pointer dereference, which + could be used to cause a Denial of Service. [Yann Ylavic] + + *) SECURITY: CVE-2020-13950 (cve.mitre.org) + mod_proxy_http: Fix possible crash due to NULL pointer dereference, which + could be used to cause a Denial of Service. [Yann Ylavic] + + *) SECURITY: CVE-2020-13938 (cve.mitre.org) + Windows: Prevent local users from stopping the httpd process [Ivan Zhakov] + + *) SECURITY: CVE-2019-17567 (cve.mitre.org) + mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end + negotiation. [Yann Ylavic] + *) mod_dav_fs: Improve logging output when failing to open files for writing. PR 64413. [Bingyu Shen ] @@ -185,22 +215,13 @@ Changes with Apache 2.4.47 *) mod_authnz_ldap: Prevent authentications with empty passwords for the initial bind to fail with status 500. [Ruediger Pluem] - *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if - the format can't match anyway. [Yann Ylavic] - *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked Transfer-Encoding from the client, spooling the request body when needed to provide a Content-Length to the backend. PR 57087. [Yann Ylavic] - *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in - proxy_util. [Yann Ylavic] - *) mod_proxy: Improve tunneling loop to support half closed connections and pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic] - *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response - and switched protocol forwarding. [Yann Ylavic] - *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http, allowing for (non-)Upgrade negotiation with the origin server. [Yann Ylavic] @@ -262,3 +283,13 @@ Changes with Apache 2.4.47 connection reuse is disabled by default to avoid compatibility issues. [Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere] + [Apache 2.3.0-dev includes those bug fixes and changes with the + Apache 2.2.xx tree as documented, and except as noted, below.] + +Changes with Apache 2.2.x and later: + + *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup + +Changes with Apache 2.0.x and later: + + *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup Added: release/httpd/CURRENT-IS-2.4.48 ============================================================================== (empty)