Apache HTTP Server release 2.4.46 (releases 2.4.44 and 2.4.45 were skipped), which introduced and eliminated :
- - A buffer overflow in the mod_proxy_uwsgi module, which can lead to information leakage or code execution on the server when a specially crafted request is sent. The vulnerability is exploited by sending a very long HTTP header. For protection, a blocking of headers longer than 16K (a limitation defined in the protocol specification) has been added.
- β a vulnerability in the mod_http2 module that allows causing a process crash when sending a request with a specially crafted HTTP/2 header. The problem manifests itself when debugging or tracing is enabled in the mod_http2 module and is expressed in memory corruption due to a race condition when saving information in the log. The problem does not appear when setting the LogLevel to "info".
- β a vulnerability in the mod_http2 module that can cause a process crash when sending a request via HTTP/2 with a specially designed 'Cache-Digest' header value (the crash occurs when trying to perform an HTTP/2 PUSH operation for a resource). To block the vulnerability, you can use the "H2Push off" setting.
- β a mod_remoteip vulnerability that allows IP address spoofing during proxying using mod_remoteip and mod_rewrite. The issue only occurs for releases 2.4.1 through 2.4.23.
The most notable non-security changes are:
- Draft spec support removed from mod_http2 which has been discontinued.
- Changed the behavior of the "LimitRequestFields" directive in mod_http2, specifying a value of 0 now disables the limit.
- mod_http2 handles primary and secondary (master/secondary) connections and marks methods based on usage.
- In case of receiving incorrect contents of the Last-Modified header from a FCGI/CGI script, this header is now removed rather than replaced in epochal time (Unix epoch).
- The ap_parse_strict_length() function has been added to the code for strict parsing of the content size.
- Mod_proxy_fcgi in ProxyFCGISetEnvIf ensures that environment variables are removed if the given expression evaluates to False.
- Fixed a race condition and possible crash of mod_ssl when using a client certificate set via the SSLProxyMachineCertificateFile setting.
- Fixed a memory leak in mod_ssl.
- mod_proxy_http2 provides the use of the proxy parameter "Β» when checking the health of a new or reused backend connection.
- Stopped linking httpd with "-lsystemd" option if mod_systemd is enabled.
- mod_proxy_http2 ensures that the ProxyTimeout setting is taken into account when waiting for incoming data through backend connections.
Source: opennet.ru