httpd-2.4.54 (needs security advisory)

[Bruce Dubbs]

New point version.

[Tim Tassonis]

Changes with Apache 2.4.54

*) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by

hop-by-hop mechanism (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credits: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue

*) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with

websockets (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-30522: mod_sed denial of service

(cve.mitre.org) If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Credits: This issue was found by Brian Moussalli from the JFrog Security Research team

*) SECURITY: CVE-2022-29404: Denial of service in mod_lua

r:parsebody (cve.mitre.org) In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-28615: Read beyond bounds in

ap_strcmp_match() (cve.mitre.org) Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()

(cve.mitre.org) The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi

(cve.mitre.org) Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request

smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. Credits: Ricter Z @ 360 Noah Lab

*) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.

[Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]

*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.

PR 65666. [Yann Ylavic]

*) mod_md: a bug was fixed that caused very large MDomains

with the combined DNS names exceeding ~7k to fail, as request bodies would contain partially wrong data from uninitialized memory. This would have appeared as failure in signing-up/renewing such configurations. [Stefan Eissing, Ronald Crane (Zippenhop LLC)]

*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.

PR 65666. [Yann Ylavic]

*) MPM event: Restart children processes killed before idle maintenance.

PR 65769. [Yann Ylavic, Ruediger Pluem]

*) ab: Allow for TLSv1.3 when the SSL library supports it.

[abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]

*) core: Disable TCP_NOPUSH optimization on OSX since it might introduce

transmission delays. PR 66019. [Yann Ylavic]

*) MPM event: Fix accounting of active/total processes on ungraceful restart,

PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic]

*) core: make ap_escape_quotes() work correctly on strings

with more than MAX_INT/2 characters, counting quotes double. Credit to <generalbugs@…> for finding this. [Stefan Eissing]

*) mod_md: the MDCertificateAuthority directive can take more than one URL/name of

an ACME CA. This gives a failover for renewals when several consecutive attempts to get a certificate failed. A new directive was added: MDRetryDelay sets the delay of retries. A new directive was added: MDRetryFailover sets the number of errored attempts before an alternate CA is selected for certificate renewals. [Stefan Eissing]

*) mod_http2: remove unused and insecure code. Fixes PR66037.

Thanks to Ronald Crane (Zippenhop LLC) for reporting this. [Stefan Eissing]

*) mod_proxy: Add backend port to log messages to

ease identification of involved service. [Rainer Jung]

*) mod_http2: removing unscheduling of ongoing tasks when

connection shows potential abuse by a client. This proved counter-productive and the abuse detection can false flag requests using server-side-events. Fixes <​https://github.com/icing/mod_h2/issues/231>. [Stefan Eissing]

*) mod_md: Implement full auto status ("key: value" type status output).

Especially not only status summary counts for certificates and OCSP stapling but also lists. Auto status format is similar to what was used for mod_proxy_balancer. [Rainer Jung]

*) mod_md: fixed a bug leading to failed transfers for OCSP

stapling information when more than 6 certificates needed updates in the same run. [Stefan Eissing]

*) mod_proxy: Set a status code of 502 in case the backend just closed the

connection in reply to our forwarded request. [Ruediger Pluem]

*) mod_md: a possible NULL pointer deref was fixed in

the JSON code for persisting time periods (start+end). Fixes #282 on mod_md's github. Thanks to @marcstern for finding this. [Stefan Eissing]

*) mod_heartmonitor: Set the documented default value

"10" for HeartbeatMaxServers instead of "0". With "0" no shared memory slotmem was initialized. [Rainer Jung]

*) mod_md: added support for managing certificates via a

local tailscale daemon for users of that secure networking. This gives trusted certificates for tailscale assigned domain names in the *.ts.net space. [Stefan Eissing]

[Douglas R. Reno]

Security Advisories issued. SA-11.1-061 and 062