Published Release HTTP Server Apache 2.4.49, in which 27 changes and eliminated 5 vulnerabilities :
- CVE-2021-33193 – MOD_HTTP2 exposure to a new version of the Attack “HTTP Request Smuggling”, which allows sending specially decorated client requests to split into the contents of other users’ requests transmitted via MOD_PROXY (for example, you can achieve wilderness of a malicious JavaScript code into the other session Site user).
- CVE-2021-40438 – SSRF-Vulnerability (Server Side Request Forgery) in MOD_Proxy, allowing us through sending a specially decorated URI-PATH query to achieve a request to redirect the request to the server selected by the attacker.
- CVE-2021-39275 – buffer overflow in the AP_ESCAPE_QUOTES functions. Vulnerability is marked as non-hazardous, since all regular modules do not transmit external data into this function. But theoretically, there may be third-party modules through which you can make an attack.
- CVE-2021-36160 – readings from the area outside the borders of the buffer in the MOD_PROXY_UWSGI module, leading to the collapse.
- CVE-2021-34798 – Raming the zero pointer, leading to the collapse of the process when processing special decorated queries.
The most notable changes in security:
- a lot of internal changes in MOD_SSL. From mod_ssl to the main stuffing (CORE), the settings “ssl_engine_set”, “ssl_engine_disable” and “ssl_proxy_enable” are transferred. The possibility of using alternative SSL modules to protect connections via MOD_PROXY is given. Added the ability to conduct a log of closed keys that can be used in Wireshark to analyze encrypted traffic.
- in MOD_PROXY is accelerated by the dissemination of paths with UNIX Socket transmitted to the URL “Proxy:”.
- extended the capabilities of the MOD_MD module used to automate the receipt and maintenance of certificates using the ACME (Automatic Certificate Management Environment) protocol. The framing of domain quotes is allowed in and provided support for TLS-ALPN-01 for domain names that are not tied to virtual hosts.
- Added parameter StrictHostCheck, prohibiting the indication of non-configured host names Among the arguments of the list “Allow”.
/Media reports.