The release of the Apache HTTP server 2.4.48 has been published (release 2.4.47 was skipped), which introduces 39 changes and eliminates 8 vulnerabilities:
- CVE-2021-30641 - section misfire in 'MergeSlashes OFF' mode;
- CVE-2020-35452 - Single null byte stack overflow in mod_auth_digest;
- CVE-2021-31618, CVE-2020-26691, CVE-2020-26690, CVE-2020-13950 - NULL pointer dereferences in mod_http2, mod_session and mod_proxy_http;
- CVE-2020-13938 - Possibility of stopping the httpd process by an unprivileged user on Windows;
- CVE-2019-17567 - Protocol negotiation issues in mod_proxy_wstunnel and mod_proxy_http.
The most notable non-security changes are:
- Added ProxyWebsocketFallbackToProxyHttp setting to mod_proxy_wstunnel to disable the transition to using mod_proxy_http for WebSocket.
- The core server API includes SSL-related functions that are now available without the mod_ssl module (for example, allowing the mod_md module to provide keys and certificates).
- Processing of OCSP (Online Certificate Status Protocol) responses has been moved from mod_ssl/mod_md to the base part, which allows other modules to access OCSP data and generate OCSP responses.
- mod_md allows the use of masks in the MDomains directive, for example, "MDomain *.host.net". The MDPrivateKeys directive allows specifying different types of keys, for example βMDPrivateKeys secp384r1 rsa2048β allows the use of ECDSA and RSA certificates. Support for the legacy ACMEv1 protocol has been provided.
- Added support for Lua 5.4 to mod_lua.
- Updated version of the mod_http2 module. Improved error handling. Added 'H2OutputBuffering on/off' option to control output buffering (enabled by default).
- The mod_dav_FileETag directive implements the βDigestβ mode to generate an ETag based on a hash of the file contents.
- mod_proxy allows you to limit the use of ProxyErrorOverride to specific status codes.
- New directives ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined have been implemented.
- mod_rewrite implements processing of the SameSite attribute when parsing the [CO] (cookie) flag in the RewriteRule directive.
- Added check_trans hook to mod_proxy to reject requests at an early stage.
Source: opennet.ru