ProHoster > Blog > internet news > Apache 2.4.52 http server release with mod_lua buffer overflow fixed

Apache 2.4.52 http server release with mod_lua buffer overflow fixed

Apache 2.4.52 HTTP server release has been published, which introduces 25 changes and fixes 2 vulnerabilities:

  • CVE-2021-44790 - A buffer overflow in mod_lua that occurs when parsing multipart requests. The vulnerability affects configurations in which Lua scripts call the r:parsebody() function to parse the request body and allow an attacker to cause a buffer overflow by sending a specially crafted request. The facts of the presence of an exploit have not yet been identified, but the problem could potentially lead to the execution of its own code on the server.
  • CVE-2021-44224 - SSRF (Server Side Request Forgery) vulnerability in mod_proxy that allows in configurations with the "ProxyRequests on" setting to request a specially crafted URI to redirect the request to another handler on the same server that accepts connections via Unix Domain Socket. The problem can also be used to cause a crash by creating conditions for a null pointer to be dereferenced. The problem affects versions of Apache httpd since version 2.4.7.

The most notable non-security changes are:

  • Added support for building with the OpenSSL 3 library to mod_ssl.
  • Improved definition of OpenSSL library in autoconf scripts.
  • In mod_proxy, for tunneling protocols, it is possible to disable the redirection of half-close (half-close) TCP connections by setting the "SetEnv proxy-nohalfclose" parameter.
  • Added additional checks that non-proxy URIs contain the http/https scheme, while those intended for proxying contain the hostname.
  • mod_proxy_connect and mod_proxy prevent the status code from changing after it has been sent to the client.
  • When sending intermediate responses after receiving requests with the "Expect: 100-Continue" header, ensure that the result state is "100 Continue" rather than the current state of the request.
  • Added support for CalDAV extensions to mod_dav, in which both document elements and property elements must be considered when generating a property. Added new functions dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and dav_find_attr() that can be called from other modules.
  • In mpm_event, an issue with stopping idle child processes after a spike in server load has been resolved.
  • Mod_http2 fixed a regression that caused incorrect behavior when handling the MaxRequestsPerChild and MaxConnectionsPerChild constraints.
  • The capabilities of the mod_md module, which is used to automate the receipt and maintenance of certificates using the ACME (Automatic Certificate Management Environment) protocol, have been expanded:
    • Added support for the ACME External Account Binding (EAB) mechanism enabled using the MDExternalAccountBinding directive. Values ​​for EAB can be configured from an external JSON file, which avoids exposing authentication settings in the main server configuration file.
    • The 'MDCertificateAuthority' directive provides verification of specifying http/https in the URL parameter or one of the predefined names ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test').
    • It is allowed to specify the MDContactEmail directive inside the section .
    • Several bugs have been fixed, including a memory leak that occurs when the private key fails to load.

Source: opennet.ru

Add a comment