The release of the Apache HTTP server 2.4.52 has been published , which contains 25 changes and fixes 2 vulnerabilities :
- -2021-44790 CVE – buffer overflow in mod_lua, manifested parsing requests, consisting of several parts (multipart). The vulnerability affects configurations in which Lua scripts call the r: parsebody () function to parse the request body and allow an attacker to achieve a buffer overflow by sending a specially crafted request. The facts of the presence of an exploit have not yet been identified, but potentially the problem can lead to the execution of its code on the server.
- CVE-2021-44224 – SSRF vulnerability (Server Side Request Forgery) in mod_proxy, which allows, in configurations with the “ProxyRequests on” setting, through a request for a specially formed URI, to redirect the request to another handler on the same server that accepts connections via a Unix Domain Socket. The problem can also be used to cause a crash by creating conditions for dereferencing a null pointer. The issue affects Apache httpd versions since 2.4.7.
Notable non-security changes:
- Added support for building with the OpenSSL 3 library in mod_ssl .
- Improved detection of OpenSSL library in autoconf scripts.
- In mod_proxy for tunneling protocols, it is possible to disable the redirection of half-close TCP connections by setting the “SetEnv proxy-nohalfclose” parameter.
- Added additional checks that URIs not intended for proxying contain the http / https scheme, but those intended for proxying contain the hostname.
- In mod_proxy_connect and mod_proxy, it is forbidden to change the status code after sending it to the client.
- Sending interim responses after receiving requests with the header “Expect: 100-Continue” is provided with the result that the state is “100 Continue” rather than the current state of the request.
- Mod_dav adds support for CalDAV extensions, which must take both document and property elements into account when generating a property. Added new functions dav_validate_root_ns (), dav_find_child_ns (), dav_find_next_ns (), dav_find_attr_ns () and dav_find_attr (), which can be called from other modules.
- Mpm_event resolves the problem with stopping idle child processes after a spike in server load.
- In mod_http2, regressive changes that lead to incorrect behavior when handling MaxRequestsPerChild and MaxConnectionsPerChild constraints have been fixed.
- The capabilities of the mod_md module, used to automate the receipt and maintenance of certificates using the ACME (Automatic Certificate Management Environment) protocol, have been expanded:
- Added support for the ACME External Account Binding (EAB) mechanism , which is enabled using the MDExternalAccountBinding directive. The values for the EAB can be configured from an external JSON file so that the authentication parameters are not exposed in the main server configuration file.
- The directive ‘MDCertificateAuthority’ provides verification of the indication in the URL parameter http / https or one of the predefined names (‘LetsEncrypt’, ‘LetsEncrypt-Test’, ‘Buypass’ and ‘Buypass-Test’).
- Allowed to specify the MDContactEmail directive inside the <MDomain dnsname> section.
- Several bugs have been fixed, including a memory leak that occurs when a private key fails to load.
