https://downloads.apache.org/httpd/CHANGES_2.4.58 *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (cve.mitre.org) When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Will Dormann of Vul Labs *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 (cve.mitre.org) An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Prof. Sven Dietrich (City University of New York) *) SECURITY: CVE-2023-31122: mod_macro buffer over-read (cve.mitre.org) Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. Credits: David Shoon (github/davidshoon)
Testing 2.4.58 on amd64, temporary solution (since the patch is included in the apache tarball): --- apache-2.4.57-r5.ebuild 2023-10-11 06:10:32.000000000 +0000 +++ apache-2.4.58.ebuild 2023-10-19 10:53:08.600838939 +0000 pkg_setup() { # dependent critical modules which are not allowed in global scope due @@ -156,6 +156,12 @@ apache-2_pkg_setup } +src_unpack() { + default + + rm "${WORKDIR}/gentoo-apache-2.4.57-r5/patches/06_rustls_ffi.patch" || die +} + src_configure() { # Brain dead check. tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no" Small nitpick regarding 00_default_ssl_vhost.conf, the formatting is broken: <VirtualHost _default_:443> ServerName localhost Include /etc/apache2/vhosts.d/default_vhost.include ErrorLog /var/log/apache2/ssl_error_log <IfModule log_config_module> TransferLog /var/log/apache2/ssl_access_log </IfModule> ## SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # TLS defaults are set according to the Mozilla intermediate # configuration: https://ssl-config.mozilla.org/ ## SSLProtocol: # Disable old protocol versions that have known flaws or are deprecated. SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 ## SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA -AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36495e104250a29939693900521c329b681dbb72 commit 36495e104250a29939693900521c329b681dbb72 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2023-10-19 12:20:39 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-19 12:21:04 +0000 www-servers/apache: add 2.4.58 Bug: https://bugs.gentoo.org/915996 Signed-off-by: Hans de Graaff <graaff@gentoo.org> www-servers/apache/Manifest | 2 + www-servers/apache/apache-2.4.58.ebuild | 256 ++++++++++++++++++++++++++++++++ 2 files changed, 258 insertions(+)
Thanks Hans
Does CVE-2023-44487 actually affect Apache itself? It seems like CVE-2023-45802 is at least a very similar (if not the same) vulnerability, but that would make it uniquely tracked, separately of CVE-2023-44487? (ie for our tracking, we'd "see also" CVE-2023-4487 rather than block it)
(In reply to John Helmert III from comment #4) > Does CVE-2023-44487 actually affect Apache itself? It seems like > CVE-2023-45802 is at least a very similar (if not the same) vulnerability, > but that would make it uniquely tracked, separately of CVE-2023-44487? (ie > for our tracking, we'd "see also" CVE-2023-4487 rather than block it) Initial reports were that it didn't, but in the end it did expose a number of smaller issues. The problem with CVE-2023-44487 is that it is a generic issue not specific to implementations, and the CVEs in this bug are specific issues in Apache triggered by CVE-2023-44487. So I feel this bug should block CVE-2023-44487.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e7cd64ace1b6cd339c47f94477ec03ccd94002b commit 6e7cd64ace1b6cd339c47f94477ec03ccd94002b Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-02-11 15:15:31 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-11 15:15:57 +0000 www-servers/apache: drop 2.4.57, 2.4.57-r6 Bug: https://bugs.gentoo.org/915996 Signed-off-by: Hans de Graaff <graaff@gentoo.org> www-servers/apache/Manifest | 3 - www-servers/apache/apache-2.4.57-r6.ebuild | 256 ---------------------------- www-servers/apache/apache-2.4.57.ebuild | 264 ----------------------------- 3 files changed, 523 deletions(-)
