Apache 2.4.61 Released, Fixes Key Vulnerabilities

Altus Intel
Altus Intel
  • Date Time

is available HTTP server release apache 2.4.61 , which is published almost immediately after release 2.4.60 and includes the correction of a regressive change that caused lies (CVE-2024-39884), which allows you to see the scripts code, the processing of which is tuned using the AdDtype directive (for example, you can form a specially executed request for a PHP script that will lead to the show of its contents , not execution).

Apache httpd 2.4.60 is eliminated 8 vulnerabilities, of which 5 are marked as important, and also represented 13 changes . Identified vulnerability:

  • CVE-2024-38473-the problem in MOD_PROXY, which allows through the use of incorrect encoding in the URL to achieve an authentication to backend services.
  • CVE-2024-38476-If there is a vulnerable application used as a backend, you can achieve local scripts or information leakage.
  • CVE-2024-38474, CVE-2024-38475-incorrect shielding of the output of Mod_RewRite, allows the attacking to reflect the URL on the catalog in the local FS, which is processed by the HTTP server, but is not available on the link.
  • CVE-2024-38472-the ability to make an attack by SSRF against servers on the Windows.

    • platform.

  • CVE-2024-39573-The ability to attack ssrf (Server-side Request Forgery) on Mod_reWrit to achieve URL processing in Mod_Proxy using the unsafe rules present in the settings.
  • CVE-2024-36387-Refusal for maintenance due to the seizure of the zero pointer when using the WebSocket Protocol on top of http/2.
  • CVE-2024-38477-Refusal for the service when processing a specially executed request at MOD_PROXY, caused by the selection of a zero pointer.

Among not related to the safety of changes:

  • The directives of Listen and Virtualhost added support for indicating the zone and area of ​​action local IPV6.
  • Updated contents of the MIME.TYPES file.
  • Optional support for the transfer of file descriptors.

    • is added to Mod_CGID.

  • In the Mod_TLS module to version 0.13.0, the Rustls-Ffi package is updated.
  • In the Mod_MD module, used to automate and maintain certificates using the ACME (Automatic Certificate Management Environment) protocol, the MDCHECKINTERVAL directive has appeared to determine the certificate inspection interval.

/Reports, release notes, official announcements.

© 2024 - Altus Intel