Apache HTTP 2.4.52 solved 2 vulnerabilities and several changes

Several days ago the release of the new version of the Apache HTTP 2.4.52 server was announced in which about 25 changes were made and in addition the correction was made is of 2 vulnerabilities.

For those who are still unaware of the Apache HTTP server, they should know that this is an open source, cross-platform HTTP web server that implements the HTTP / 1.1 protocol and the notion of virtual site according to the RFC 2616 standard.

What's new in Apache HTTP 2.4.52?

In this new version of the server we can find that added support for building with OpenSSL 3 library in mod_sslIn addition, detection was improved in the OpenSSL library in autoconf scripts.

Another novelty that stands out in this new version is in the mod_proxy for tunneling protocols, it is possible to disable redirection of TCP connections half closed by setting the "SetEnv proxy-nohalfclose" parameter.

En mod_proxy_connect and mod_proxy, it is forbidden to change the status code after sending it to the customer.

Meanwhile in mod_dav adds support for CalDAV extensions, Which must take both document and property elements into account when generating a property. New dav_validate_root_ns (), dav_find_child_ns (), dav_find_next_ns (), dav_find_attr_ns () and dav_find_attr () functions have been added, which can be called from other modules.

En mod_http2, backward changes leading to incorrect behavior have been fixed when handling MaxRequestsPerChild and MaxConnectionsPerChild constraints.

It is also noted that the capabilities of the mod_md module, used to automate the reception and maintenance of certificates through the ACME protocol (Automatic Certificate Management Environment), have been expanded:

Added support for ACME mechanism External Account Binding (EAB), which is enabled by the MDExternalAccountBinding directive. The values ​​for the EAB can be configured from an external JSON file so that the authentication parameters are not exposed in the main server configuration file.

Directive 'MDCertificateAuthority' provides verification of the indication in the url parameter http / https or one of the predefined names ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test').

Of the other changes that stand out in this new version:

  • Added additional checks that URIs that are not intended for the proxy contain the http / https scheme, but those that are intended for the proxy contain the hostname.
  • Sending interim responses after receiving requests with the "Expect: 100-Continue" header is provided to indicate the result of the "100 Continue" status instead of the current status of the request.
  • Mpm_event solves the problem of stopping inactive child processes after a spike in server load.
  • It is allowed to specify the MDContactEmail directive within the section .
  • Several bugs have been fixed, including a memory leak that occurs when a private key is not loaded.

As for the vulnerabilities that were fixed in this new version the following is mentioned:

  • CVE 2021-44790: Buffer overflow in mod_lua, parsing requests manifested, consisting of multiple parts (multipart). The vulnerability affects configurations in which Lua scripts call the r: parsebody () function to parse the request body and allow an attacker to achieve a buffer overflow by sending a specially crafted request. The facts of the presence of an exploit have yet to be identified, but potentially the problem can lead to your code being executed on the server.
  • SSRF vulnerability (Server Side Request Forgery): in mod_proxy, which allows, in configurations with the "ProxyRequests on" option, through a request from a specially formed URI, to redirect the request to another controller on the same server that accepts connections through a socket Unix domain. The problem can also be used to cause a crash by creating conditions to remove the reference to a null pointer. The problem affects httpd versions of Apache since 2.4.7.

Finally, if you are interested in knowing more about this new released version, you can check the details in the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.