published release http server Apache 2.4.53, which is represented 19 Changes and eliminated 8 vulnerabilities :
- CVE-2022-31813-vulnerability to MOD_PROXY, which allows you to block the sending of the X-Forwarded-* headings with information about the IP address from which the initial request was received. The problem can be used to bypass access restrictions on IP addresses.
- cve-2022-30556-vulnerability to Mod_LUA, which allows access to data outside the selected buffer through manipulations with the function R: WSRread () in Lua scripts.
- CVE-2022-30522-Refusal to maintain (exhaustion of available memory) when processing certain data with the Mod_Sed module.
- CVE-2022-29404-refusal to maintain in Mod_LUA, operated through the sending of special executed requests LUA-products using the call R: PARSEBODY (0).
- CVE-2022-28615, CVE-2022-28614-refusal to maintain or gain access to data in the process of process due to errors in the functions AP_StRCMP_MATCH () and AP_RWRITE (), leading to reading from the region abroad.
- CVE-2022-28330-Information leakage from areas outside the boundaries of the buffer in
mod_isapi (the problem is manifested only on the Windows platform). - CVE-2022-26377-The Mod_Proxy_ajp module is subject to attacks of the HTTP REQUEST SMUGGLING class on the front-line system systems that allow you to wedge into the content of the requests of other users processed in the same stream between the frontnd and the underli.
.
The most noticeable changes that are not related to security:
- In Mod_SSL, SSLFIPS compatibility with Opensl 3.0 is ensured.
- In the AB utility, TLSV1.3 support is implemented (binding to the SSL biblound is required supporting this protocol).
- In Mod_MD, the MDCertificateAauthority Directorate is allowed to use more than one name and URL certifying center. New directives have been added: MdretryDelay (determines the delay before sending a second request) and Mdretryfailover (determines the number of repeated attempts in case of failure before choosing an alternative certifying center). Added support for the state “Auto” when output of values in the format “Key: Value”. The possibility of managing certificates for users of a protected VPN network Tailscale.
- Cleaning the Mod_http2 module from unused and unsafe code.
- In Mod_PROXY, a reflection of the Backet network port in errors recorded in the log.
- In mod_heartmonitor value of the HeartbetmaxServers parameter changed from 0 to 10 (initialization of 10 slots of the separated memory).
/Media reports.