Changes with Apache 2.4.25 *) Fix some build issues related to various modules. [Rainer Jung] Changes with Apache 2.4.24 *) SECURITY: CVE-2016-8740 (cve.mitre.org) mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames. [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State University, Stefan Eissing] *) SECURITY: CVE-2016-5387 (cve.mitre.org) core: Mitigate [f]cgi "httpoxy" issues. [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic] *) SECURITY: CVE-2016-2161 (cve.mitre.org) mod_auth_digest: Prevent segfaults during client entry allocation when the shared memory space is exhausted. [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion] *) SECURITY: CVE-2016-0736 (cve.mitre.org) mod_session_crypto: Authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack. [Yann Ylavic, Colm MacCarthaigh] *) SECURITY: CVE-2016-8743 (cve.mitre.org) Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. [William Rowe, Stefan Fritsch] *) Validate HTTP response header grammar defined by RFC7230, resulting in a 500 error in the event that invalid response header contents are detected when serving the response, to avoid response splitting and cache pollution by malicious clients, upstream servers or faulty modules. [Stefan Fritsch, Eric Covener, Yann Ylavic] *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of looping RewriteRules when the local path significantly exceeds LimitRequestLine. PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>] *) mod_ratelimit: Allow for initial "burst" amount at full speed before throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>, Jim Jagielski] *) mod_socache_memcache: Provide memcache stats to mod_status. [Jim Jagielski] *) http_filters: Fix potential looping in new check_headers() due to new pattern of ap_die() from http header filter. Explicitly clear the previous headers and body. *) core: Drop Content-Length header and message-body from HTTP 204 responses. PR 51350 [Luca Toscano] *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is configured in <Location>, like in 2.2. PR 60458. [Eric Covener] *) mod_lua: Fix default value of LuaInherit directive. It should be 'parent-first' instead of 'none', as per documentation. PR 60419 [Christophe Jaillet] *) core: New directive HttpProtocolOptions to control httpd enforcement of various RFC7230 requirements. [Stefan Fritsch, William Rowe] *) core: Permit unencoded ';' characters to appear in proxy requests and Location: response headers. Corresponds to modern browser behavior. [William Rowe] *) core: ap_rgetline_core now pulls from r->proto_input_filters. *) core: Correctly parse an IPv6 literal host specification in an absolute URL in the request line. [Stefan Fritsch] *) core: New directive RegisterHttpMethod for registering non-standard HTTP methods. [Stefan Fritsch] *) mod_socache_memcache: Pass expiration time through to memcached. [Faidon Liambotis <paravoid debian.org>, Joe Orton] *) mod_cache: Use the actual URI path and query-string for identifying the cached entity (key), such that rewrites are taken into account when running afterwards (CacheQuickHandler off). PR 21935. [Yann Ylavic] *) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status 103 interim responses. Disabled by default. [Stefan Eissing] *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate in the client certificate chain. PR 55786. [Yann Ylavic] *) event: Allow to use the whole allocated scoreboard (up to ServerLimit slots) to avoid scoreboard full errors when some processes are finishing gracefully. Also, make gracefully finishing processes close all keep-alive connections. PR 53555. [Stefan Fritsch] *) mpm_event: Don't take over scoreboard slots from gracefully finishing threads. [Stefan Fritsch] *) mpm_event: Free memory earlier when shutting down processes. [Stefan Fritsch] *) mod_status: Display the process slot number in the async connection overview. [Stefan Fritsch] *) mod_dir: Responses that go through "FallbackResource" might appear to hang due to unterminated chunked encoding. PR58292. [Eric Covener] *) mod_dav: Fix a potential cause of unbounded memory usage or incorrect behavior in a routine that sends <DAV:response>'s to the output filters. [Evgeny Kotkov] *) mod_http2: new directive 'H2PushResource' to enable early pushes before processing of the main request starts. Resources are announced to the client in Link headers on a 103 early hint response. All responses with status code <400 are inspected for Link header and trigger pushes accordingly. 304 still does prevent pushes. 'H2PushResource' can mark resources as 'critical' which gives them higher priority than the main resource. This leads to preferred scheduling for processing and, when content is available, will send it first. 'critical' is also recognized on Link headers. [Stefan Eissing] *) mod_proxy_http2: uris in Link headers are now mapped back to a suitable local url when available. Relative uris with an absolute path are mapped as well. This makes reverse proxy mapping available for resources announced in this header. With 103 interim responses being forwarded to the main client connection, this effectively allows early pushing of resources by a reverse proxied backend server. [Stefan Eissing] *) mod_proxy_http2: adding support for newly proposed 103 status code. [Stefan Eissing] *) mpm_unix: Apache fails to start if previously crashed then restarted with the same PID (e.g. in container). PR 60261. [Val <valentin.bremond gmail.com>, Yann Ylavic] *) mod_http2: unannounced and multiple interim responses (status code < 200) are parsed and forwarded to client until a final response arrives. [Stefan Eissing] *) mod_proxy_http2: improved robustness when main connection is closed early by resetting all ongoing streams against the backend. [Stefan Eissing]
CVE-2016-8740 is handled via bug 601736. CVE-2016-5387 was handled via bug 589226.
commit 8b43dcbc13a294300bfdfeaa6e41721db42576fe Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Dec 19 23:54:24 2016 www-servers/apache: Security bump to version 2.4.25 (bug #603130). Package-Manager: Portage-2.3.3, Repoman-2.3.1 commit 6d9dc083415a0065da55f0816b5f187790828529 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Dec 19 23:48:36 2016 app-admin/apache-tools: Security bump to version 2.4.25 (bug #603130). Package-Manager: Portage-2.3.3, Repoman-2.3.1 Arches please test and mark stable the following two packages: =app-admin/apache-tools-2.4.25 =www-servers/apache-2.4.25 Target KEYWORDS are: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris
Stable on amd64.
x86 stable
ppc64 stable
arm stable
sparc stable
ia64 stable
ppc stable
Adding alpha as it is still pending...
Stable on alpha.
Stable for HPPA.
@ Maintainer(s): Please cleanup www-servers/apache and app-admin/apache-tools.
commit 4f45ecb82321ba88f26ea9c82cb5952b0ae3874d Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sun Jan 15 02:38:10 2017 app-admin/apache-tools: Security cleanup (bug #603130). Package-Manager: Portage-2.3.3, Repoman-2.3.1 commit 8c0256f247080f7c423e500cf4adc936792562b2 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sun Jan 15 02:37:30 2017 www-servers/apache: Security cleanup (bug #603130). Package-Manager: Portage-2.3.3, Repoman-2.3.1
This issue was resolved and addressed in GLSA 201701-36 at https://security.gentoo.org/glsa/201701-36 by GLSA coordinator Aaron Bauman (b-man).
