release of Apache HTTP Server 2.4.41 (release 2.4.40 was skipped), which introduced and eliminated :
- - An issue in mod_http2 that can cause memory corruption when sending push requests at a very early stage. When using the "H2PushResource" setting, it is possible to overwrite a memory area in the request processing pool, but the problem is limited to a crash because the data being written is not based on information received from the client;
- - recent exposure DoS vulnerabilities in HTTP/2 implementations.
An attacker can exhaust the memory available to a process and create a heavy load on the CPU by opening an HTTP/2 sliding window for the server to send data without restrictions, but keeping the TCP window closed, which prevents data from actually being written to the socket; - - a problem in mod_rewrite, which allows using the server to forward requests to other resources (open redirect). Some mod_rewrite settings may cause the user to be redirected to another link encoded with a newline character inside a parameter used in an existing redirect. To block the problem in RegexDefaultOptions, you can use the PCRE_DOTALL flag, which is now set by default;
- - the ability to perform cross-site scripting on error pages displayed by mod_proxy. On these pages, the URL obtained from the request is substituted in the link, in which the attacker can substitute arbitrary HTML code through character escaping;
- - Stack overflow and NULL pointer dereferencing in mod_remoteip, exploited through manipulations with the PROXY protocol header. The attack can only be carried out from the side of the proxy server used in the settings, and not through a client request;
- — a vulnerability in mod_http2 that allows, at the time of connection termination, to initiate reading of content from an already freed memory area (read-after-free).
The most notable non-security changes are:
- mod_proxy_balancer has enhanced protection against XSS/XSRF attacks from trusted hosts;
- Added setting SessionExpiryUpdateInterval to mod_session to define session/cookie expiration time update interval;
- Pages with errors were cleaned, aimed at excluding the output of information on these pages from requests;
- mod_http2 takes into account the value of the "LimitRequestFieldSize" parameter, which previously only validated HTTP/1.1 header fields;
- Ensured that the mod_proxy_hcheck configuration is created when it is used in a BalancerMember;
- Reduced memory consumption in mod_dav when using the PROPFIND command on a large collection;
- In mod_proxy and mod_ssl, problems with specifying certificate and SSL settings inside the Proxy block have been resolved;
- In mod_proxy, the SSLProxyCheckPeer* settings are allowed for all proxy modules;
- Extended module capabilities , Let's Encrypt project to automate the receipt and maintenance of certificates using the ACME (Automatic Certificate Management Environment) protocol:
- Added the second version of the protocol , which is now the default and empty POST requests instead of GET.
- Added support for validation based on the TLS-ALPN-01 (RFC 7301, Application-Layer Protocol Negotiation) extension used by HTTP/2.
- Validation method 'tls-sni-01' has been discontinued (due to ).
- Added commands to configure and break the 'dns-01' check.
- Added support in certificates when checking based on DNS ('dns-01') is enabled.
- Implemented 'md-status' handler and certificate status page "https://domain/.httpd/certificate-status".
- Added "MDCertificateFile" and "MDCertificateKeyFile" directives for configuring domain settings via static files (without auto-update support).
- Added "MDMessageCmd" directive to call external commands when 'renewed', 'expiring' or 'errored' events occur.
- Added "MDWarnWindow" directive to configure warning message about certificate expiration;
Source: opennet.ru
