Re: svn commit: r1901500 - in /httpd/httpd/trunk: include/http_protocol.h server/protocol.c

On 6/8/22 5:43 PM, Ivan Zhakov wrote: > Yes, I see now. But it will be an incorrect value in case of a string > larger than INT_MAX. Not a big issue, but IMHO strings larger than > INT_MAX also are not big issue. You are correct that the value will be incorrect in case of a string larger than

Re: svn commit: r1901500 - in /httpd/httpd/trunk: include/http_protocol.h server/protocol.c

Yes, I see now. But it will be an incorrect value in case of a string larger than INT_MAX. Not a big issue, but IMHO strings larger than INT_MAX also are not big issue. On Wed, 8 Jun 2022 at 18:26, Eric Covener wrote: > > On Wed, Jun 8, 2022 at 11:10 AM Ivan Zhakov wrote: > > > > On Wed, 1 Jun 2

Re: svn commit: r1901500 - in /httpd/httpd/trunk: include/http_protocol.h server/protocol.c

On Wed, Jun 8, 2022 at 11:10 AM Ivan Zhakov wrote: > > On Wed, 1 Jun 2022 at 15:34, wrote: > > > > Author: covener > > Date: Wed Jun 1 12:33:53 2022 > > New Revision: 1901500 > > > > URL: http://svn.apache.org/viewvc?rev=1901500&view=rev > > Log: > > handle large writes in ap_rputs > > > > Modif

Re: svn commit: r1901500 - in /httpd/httpd/trunk: include/http_protocol.h server/protocol.c

On Wed, 1 Jun 2022 at 15:34, wrote: > > Author: covener > Date: Wed Jun 1 12:33:53 2022 > New Revision: 1901500 > > URL: http://svn.apache.org/viewvc?rev=1901500&view=rev > Log: > handle large writes in ap_rputs > > Modified: > httpd/httpd/trunk/include/http_protocol.h > httpd/httpd/trunk

2.4.54 out

Apache httpd 2.4.54 release should be completely done now. If anyone notices something I missed, please let us know! Kind Regards, Stefan

CVE-2022-28615: Apache HTTP Server: Read beyond bounds in ap_strcmp_match()

Severity: low Description: Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party module

CVE-2022-31813: Apache HTTP Server: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism

Severity: low Description: Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credit: The Apache HTT

CVE-2022-30556: Apache HTTP Server: Information Disclosure in mod_lua with websockets

Severity: low Description: Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Credit: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this i

CVE-2022-30522: Apache HTTP Server: mod_sed denial of service

Severity: low Description: If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Credit: This issue was found by Brian Moussalli from t

CVE-2022-29404: Apache HTTP Server: Denial of service in mod_lua r:parsebody

Severity: low Description: In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Credit: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop L

CVE-2022-28614: Apache HTTP Server: read beyond bounds via ap_rwrite()

Severity: low Description: The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Credit: The Apache HTTP Server proj

CVE-2022-28330: Apache HTTP Server: read beyond bounds in mod_isapi

Severity: low Description: Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Credit: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue References: htt

CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling

Severity: moderate Description: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Serv

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

Am 06.06.2022 um 16:25 schrieb Stefan Eissing: Here we go again! Sorry for the repeats, but that is why we build candidates, right? Hi all, Please find below the proposed release tarball and signatures: https://dist.apache.org/repos/dist/dev/httpd/ I would like to call a VOTE over the next

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

With 9 +1 the voting is complete and I will make the release now. Thanks everyone for testing! Kind Regards, Stefan > Am 08.06.2022 um 09:04 schrieb Petr Gajdos : > > On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote: > [x] +1: It's not just good, it's good enough! > > SLE 15sp4,

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote: [x] +1: It's not just good, it's good enough! SLE 15sp4, openSUSE 15.4,Tumbleweed -- Have a lot of fun!