Published Release HTTP Server Apache 2.4.53, in which 14 of the changes and eliminated 4 vulnerabilities :
- CVE-2022-22720 – Ability to make an attack “HTTP Request Smuggling”, allowing Sending specially decorated client requests to wed up into the contents of requests for other users transmitted via MOD_PROXY (for example, you can achieve a malicious JavaScript code in the session of another website user). The problem is caused by leaving open incoming connections after errors occur when processing an incorrect query body.
- CVE-2022-23943 – buffer overflow in the MOD_SED module, allowing to overwrite the contents of memory heap Data controlled by attacking.
- CVE-2022-22721 – Ability to record abroad buffer due to integer overflow, The resulting bodies of the request is more than 350MB. The problem is manifested in 32-bit systems in the settings of which is set too much the limitxmlrequestbody value (by default 1 MB, for the attack the limit should be higher than 350 MB).
- CVE-2022-22719 – Vulnerability in MOD_LUA, which allows you to read the random memory areas and The collapse of the process when processing a specially decorated bodies of the request. The problem is caused by the use of uninitialized values in the R: PARSEBODY function code.
The most notable changes in security:
- in mod_proxy is raised by the limit to the number of characters in the Processor name (Worker). Added the ability to selectively set up timaouts for backend and frontland (for example, in the binding to Worker-y). For requests transmitted via WebSockets or Connect Method, timeout time is changed to the maximum value exhibited for backend and front.
- DISCOPED DBM file opening and downloading DBM drivers. In case of failure in the log, more detailed error information and driver are displayed.
- in mod_md stopped processing of requests to /.well-known/acme-challenge/, if the domain settings clearly does not include the use of the type of verification ‘HTTP-01’.
- in MOD_DAV is fixed with a regressive change, which leads to a large memory consumption in the processing of a large number of resources.
- Added the ability to use the PCRE2 library (10.x) instead of PCRE (8.x) for processing regular expressions.
- In Query Filters Added Support for Anneal Analysis for LDAP Protocol for Correct Shielding Data When you try to make attacks for LDAP-structures.
- MPM_EVENT eliminated mutual blocking that occurs during the peberpool or exceeding the MaxConnectionSperchild limit on high-loaded systems.
/Media reports.