|
1 | 1 | -*- coding: utf-8 -*- |
| 2 | +Changes with Apache 2.4.65 |
| 3 | + |
2 | 4 | Changes with Apache 2.4.64 |
3 | 5 |
|
| 6 | + *) SECURITY: CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by |
| 7 | + Memory Increase (cve.mitre.org) |
| 8 | + Late Release of Memory after Effective Lifetime vulnerability in |
| 9 | + Apache HTTP Server. |
| 10 | + This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. |
| 11 | + Users are recommended to upgrade to version 2.4.64, which fixes |
| 12 | + the issue. |
| 13 | + Credits: Gal Bar Nahum |
| 14 | + |
| 15 | + *) SECURITY: CVE-2025-49812: Apache HTTP Server: mod_ssl TLS |
| 16 | + upgrade attack (cve.mitre.org) |
| 17 | + In some mod_ssl configurations on Apache HTTP Server versions |
| 18 | + through to 2.4.63, an HTTP desynchronisation attack allows a |
| 19 | + man-in-the-middle attacker to hijack an HTTP session via a TLS |
| 20 | + upgrade. |
| 21 | + Only configurations using "SSLEngine optional" to enable TLS |
| 22 | + upgrades are affected. Users are recommended to upgrade to |
| 23 | + version 2.4.64, which removes support for TLS upgrade. |
| 24 | + Credits: Robert Merget (Technology Innovation Institute) |
| 25 | + |
| 26 | + *) SECURITY: CVE-2025-49630: Apache HTTP Server: mod_proxy_http2 |
| 27 | + denial of service (cve.mitre.org) |
| 28 | + In certain proxy configurations, a denial of service attack |
| 29 | + against Apache HTTP Server versions 2.4.26 through to 2.4.63 |
| 30 | + can be triggered by untrusted clients causing an assertion in |
| 31 | + mod_proxy_http2. |
| 32 | + Configurations affected are a reverse proxy is configured for an |
| 33 | + HTTP/2 backend, with ProxyPreserveHost set to "on". |
| 34 | + Credits: Anthony CORSIEZ |
| 35 | + |
| 36 | + *) SECURITY: CVE-2025-23048: Apache HTTP Server: mod_ssl access |
| 37 | + control bypass with session resumption (cve.mitre.org) |
| 38 | + In some mod_ssl configurations on Apache HTTP Server 2.4.35 |
| 39 | + through to 2.4.62, an access control bypass by trusted clients |
| 40 | + is possible using TLS 1.3 session resumption. |
| 41 | + Configurations are affected when mod_ssl is configured for |
| 42 | + multiple virtual hosts, with each restricted to a different set |
| 43 | + of trusted client certificates (for example with a different |
| 44 | + SSLCACertificateFile/Path setting). In such a case, a client |
| 45 | + trusted to access one virtual host may be able to access another |
| 46 | + virtual host, if SSLStrictSNIVHostCheck is not enabled in either |
| 47 | + virtual host. |
| 48 | + Credits: Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy, |
| 49 | + and Juraj Somorovsky at Paderborn University |
| 50 | + |
| 51 | + *) SECURITY: CVE-2024-47252: Apache HTTP Server: mod_ssl error log |
| 52 | + variable escaping (cve.mitre.org) |
| 53 | + Insufficient escaping of user-supplied data in mod_ssl in Apache |
| 54 | + HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS |
| 55 | + client to insert escape characters into log files in some |
| 56 | + configurations. |
| 57 | + In a logging configuration where CustomLog is used with |
| 58 | + "%{varname}x" or "%{varname}c" to log variables provided by |
| 59 | + mod_ssl such as SSL_TLS_SNI, no escaping is performed by either |
| 60 | + mod_log_config or mod_ssl and unsanitized data provided by the |
| 61 | + client may appear in log files. |
| 62 | + Credits: John Runyon |
| 63 | + |
| 64 | + *) SECURITY: CVE-2024-43394: Apache HTTP Server: SSRF on Windows |
| 65 | + due to UNC paths (cve.mitre.org) |
| 66 | + Server-Side Request Forgery (SSRF) in Apache HTTP Server on |
| 67 | + Windows allows to potentially leak NTLM hashes to a malicious |
| 68 | + server via |
| 69 | + mod_rewrite or apache expressions that pass unvalidated request |
| 70 | + input. |
| 71 | + This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. |
| 72 | + Note: The Apache HTTP Server Project will be setting a higher |
| 73 | + bar for accepting vulnerability reports regarding SSRF via UNC |
| 74 | + paths. |
| 75 | + The server offers limited protection against administrators |
| 76 | + directing the server to open UNC paths. |
| 77 | + Windows servers should limit the hosts they will connect over |
| 78 | + via SMB based on the nature of NTLM authentication. |
| 79 | + Credits: Kainan Zhang (@4xpl0r3r) from Fortinet |
| 80 | + |
| 81 | + *) SECURITY: CVE-2024-43204: Apache HTTP Server: SSRF with |
| 82 | + mod_headers setting Content-Type header (cve.mitre.org) |
| 83 | + SSRF in Apache HTTP Server with mod_proxy loaded allows an |
| 84 | + attacker to send outbound proxy requests to a URL controlled by |
| 85 | + the attacker. Requires an unlikely configuration where |
| 86 | + mod_headers is configured to modify the Content-Type request or |
| 87 | + response header with a value provided in the HTTP request. |
| 88 | + Users are recommended to upgrade to version 2.4.64 which fixes |
| 89 | + this issue. |
| 90 | + |
| 91 | + *) SECURITY: CVE-2024-42516: Apache HTTP Server: HTTP response |
| 92 | + splitting (cve.mitre.org) |
| 93 | + HTTP response splitting in the core of Apache HTTP Server allows |
| 94 | + an attacker who can manipulate the Content-Type response headers |
| 95 | + of applications hosted or proxied by the server can split the |
| 96 | + HTTP response. |
| 97 | + This vulnerability was described as CVE-2023-38709 but the patch |
| 98 | + included in Apache HTTP Server 2.4.59 did not address the issue. |
| 99 | + Users are recommended to upgrade to version 2.4.64, which fixes |
| 100 | + this issue. |
| 101 | + |
4 | 102 | *) mod_proxy_ajp: Use iobuffersize set on worker level for the IO buffer |
5 | 103 | size. PR 69402 [Jari Ahonen < [email protected]>] |
6 | 104 |
|
|
0 commit comments