#15085 closed enhancement (fixed)
httpd-2.4.48
Reported by: | Bruce Dubbs | Owned by: | |
---|---|---|---|
Priority: | elevated | Milestone: | 11.0 |
Component: | BOOK | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New point version.
Change History (7)
comment:1 by , 3 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 3 years ago
I forwarded the layout patch and tested for clean applying, but as I don't use it, I don't really test for it. Should be ok, though, as it is unchanged for a while now.
comment:4 by , 3 years ago
Priority: | normal → elevated |
---|---|
Resolution: | fixed |
Status: | closed → reopened |
Reopening because a series of vulnerabilities were announced this week on oss-security. Brief summaries, ignoring the mitigation since we have 2.4.48 in the book - see https://www.openwall.com/lists/oss-security/2021/06/10/2 to https://www.openwall.com/lists/oss-security/2021/06/10/9 for the original posts, and follow links for clarifications.
CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections Severity: moderate Versions 2.4.6 to 2.4.46
CVE-2020-13938: Improper Handling of Insufficient Privileges Severity: moderate Versions 2.4.0 to 2.4.47
CVE-2020-13950: mod_proxy_http NULL pointer dereference Severity: low Versions 2.4.41 to 2.4.46
CVE-2020-35452: mod_auth_digest possible stack overflow by one nul byte Severity: low Versions 2.4.0 to 2.4.46
CVE-2021-26690: mod_session NULL pointer dereference Severity: low Versions 2.4.0 to 2.4.46
CVE-2021-26691: mod_session response handling heap overflow Severity: low Versions 2.4.0 to 2.4.46
CVE-2021-30641: Unexpected URL matching with 'MergeSlashes OFF' Severity: moderate Versions 2.4.39 to 2.4.46
Security Advisory to follow.
comment:5 by , 3 years ago
Owner: | changed from | to
---|---|
Status: | reopened → new |
Changes with Apache 2.4.48
MDPrivateKeys secp384r1 rsa2048
you get one ECDSA and one RSA certificate and all modern client will use the shorter ECDSA, while older client will get the RSA certificate. Many thanks to @tlhackque who pushed and helped on this.
MDomain *.host.net
will match all virtual hosts matching that pattern and obtain one certificate for it (assuming you have 'dns-01' challenge support configured). Addresses #239.
renewing
call to
MDMessageCmd
that can deny a certificate renewal attempt. This is useful in clustered installations, as discussed in #233).
challenge-setup:<type>:<domain>
, triggered when the challenge data for a domain has been created. This is invoked before the ACME server is told to check for it. The type is one of the ACME challenge types. This is invoked for every DNS name in a MDomain.
MDActivationDelay
to 0. This was confusing to users that new certificates were deemed not usably before a day of delay. When clocks are correct, using a new certificate right away should not pose a problem.