httpd-2.4.58

[Bruce Dubbs]

New point version.

[Bruce Dubbs]

Changes with Apache 2.4.58

• mod_ssl: Silence info log message "SSL Library Error: error:0A000126: SSL routines::unexpected eof while reading" when using OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if

• mod_http2: improved early cleanup of streams.

• mod_proxy_http2: improved error handling on connection errors while response is already underway.

• mod_http2: fixed a bug that could lead to a crash in main connection output handling. This occured only when the last request on a HTTP/2 connection had been processed and the session decided to shut down. This could lead to an attempt to send a final GOAWAY while the previous write was still in progress. See PR 66646.

• mod_proxy_http2: fix X-Forward-Host header to carry the correct value.

• mod_http2: added support for bootstrapping WebSockets via HTTP/2, as described in RFC 8441. A new directive 'H2WebSockets on|off' has been added. The feature is by default not enabled. As also discussed in the manual, this feature should work for setups using "ProxyPass backend-url upgrade=websocket" without further changes. Special server modules for WebSockets will have to be adapted, most likely, as the handling if IO events is different with HTTP/2. HTTP/2 WebSockets are supported on platforms with native pipes. This excludes Windows.

• mod_rewrite: Fix a regression with both a trailing ? and [QSA]. in OCSP stapling.

• mod_http2: fixed a bug in flushing pending data on an already closed connection that could lead to a busy loop, preventing the HTTP/2 session to close down successfully.

• mod_http2: v2.0.15 with the following fixes and improvements
  • New directive 'H2EarlyHint name value' to add headers to a response, picked up already when a "103 Early Hints" response is sent. 'name' and 'value' must comply to the HTTP field restrictions. This directive can be repeated several times and header fields of the same names add. Sending a 'Link' header with 'preload' relation will also cause a HTTP/2 PUSH if enabled and supported by the client.
  • Fixed an issue where requests were not logged and accounted in a timely fashion when the connection returns to "keepalive" handling, e.g. when the request served was the last outstanding one. This led to late appearance in access logs with wrong duration times reported.
  • Accurately report the bytes sent for a request in the '%O' Log format. This addresses #203, a long outstanding issue where mod_h2 has reported numbers over-eagerly from internal buffering and not what has actually been placed on the connection. The numbers are now the same with and without H2CopyFiles enabled.
• mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection.

• mod_rewrite: Add server directory to include path as mod_rewrite requires test_char.h.

• mod_http2: new directive H2ProxyRequests on|off to enable handling of HTTP/2 requests in a forward proxy configuration. General forward proxying is enabled via ProxyRequests. If the HTTP/2 protocol is also enabled for such a server/host, this new directive is needed in addition.

• core: Updated conf/mime.types:
  • .js moved from 'application/javascript' to 'text/javascript'
  • .mjs was added as 'text/javascript'
  • add .opus ('audio/ogg')
  • add 'application/vnd.geogebra.slides'
  • add WebAssembly MIME types and extension

• mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend connection when sending data on the frontend one. This caused crashes or infinite loops in rare situations.

• mod_proxy_http2: fixed a bug in retry/response handling that could lead to wrong status codes or HTTP messages send at the end of response bodies exceeding the announced content-length.

• mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection.

• mod_http2: fixed a bug that did cleanup of consumed and pending buckets in the wrong order when a bucket_beam was destroyed.

• mod_http2: avoid double chunked-encoding on internal redirects.

• mod_http2: Fix reporting of Total Accesses in server-status to not count HTTP/2 requests twice.

• mod_ssl: Fix handling of Certificate Revoked messages in OCSP stapling.

• mod_http2: fixed a bug in handling of stream timeouts.

• mod_tls: updating to rustls-ffi version 0.9.2 or higher. Checking in configure for proper version installed. Code fixes for changed clienthello member name.

• mod_md:
  • New directive MDMatchNames all|servernames to allow more control over how MDomains are matched to VirtualHosts.
  • New directive MDChallengeDns01Version. Setting this to 2 will provide the command also with the challenge value on teardown invocation. In version 1, the default, only the setup invocation gets this parameter. Refs #312. Thanks to @domrim for the idea.
  • For Managed Domain in "manual" mode, the checks if all used ServerName and ServerAlias are part of the MDomain now reports a warning instead of an error (AH10040) when not all names are present.
  • MDChallengeDns01 can now be configured for individual domains. Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
  • Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge teardown not being invoked as it should.

• mod_ldap: Avoid performance overhead of APR-util rebind cache for OpenLDAP 2.2+.

• mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum amount of response body bytes put into a single HTTP/2 DATA frame. Setting this to 0 places no limit (but the max size allowed by the protocol is observed). The module, by default, tries to use the maximum size possible, which is somewhat around 16KB. This sets the maximum. When less response data is available, smaller frames will be sent.

• mod_md: fixed passing of the server environment variables to programs started via MDMessageCmd and MDChallengeDns01 on *nix system. See <​https://github.com/icing/mod_md/issues/319>.

• mod_dav: Add DavBasePath directive to configure the repository root path.

• mod_alias: Add AliasPreservePath directive to map the full path after the alias in a location.

• mod_alias: Add RedirectRelative to allow relative redirect targets to be issued as-is.

• core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make sure that if the format is configured early enough it applies to every log line.

• mod_deflate: Add DeflateAlterETag to control how the ETag is modified. The 'NoChange' parameter mimics 2.2.x behavior.

• core: Optimize send_brigade_nonblocking().

• mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers". Resolve inconsistency between the previous two occurrences by counting workers in state SERVER_GRACEFUL no longer as busy, but instead in a new counter "GracefulWorkers" (or on HTML view as "workers gracefully restarting"). Also add the graceful counter as a new column to the existing HTML per process table for async MPMs.

[Bruce Dubbs]

Fixed at commits

1c8e374e73 Update to httpd-2.4.58.
261bdae708 Update to gnome-terminal-3.50.1 and vte-0.74.1

[ken@…]

CVEs listed at ​https://httpd.apache.org/security/vulnerabilities_24.html

low: mod_macro buffer over-read (CVE-2023-31122)

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.

Acknowledgements: finder: David Shoon (github/davidshoon) Update 2.4.58 released 2023-10-19 Affects <=2.4.57

low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 (CVE-2023-43622)

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern.

This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.

This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.

Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Acknowledgements:

finder: Prof. Sven Dietrich (City University of New York) finder: Isa Jafarov (City University of New York) finder: Prof. Heejo Lee (Korea University) finder: Choongin Lee (Korea University)

Reported to security team 2023-09-15 Update 2.4.58 released 2023-10-19 Affects <=2.4.57

moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (CVE-2023-45802)

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.

This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.

Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Acknowledgements:

finder: Will Dormann of Vul Labs finder: David Warren of Vul Labs

Reported to security team 2023-10-12 Update 2.4.58 released 2023-10-19 Affects <=2.4.57

Reopening to create security advisory.

[ken@…]

Security Advisory SA 12.0 027 created. Something breaks the html validation in consolidated.html, for the moment I cannot see where.

[ken@…]

Error was in an older advisory.

[Xi Ruoyao]

I suggest a apache2 update on rivendell.

[Bruce Dubbs]

Replying to Xi Ruoyao:

I suggest a apache2 update on rivendell.

Done.