Release HTTP server Apache 2.4.55 with elimination of vulnerabilities

Altus Intel
Altus Intel
  • Date Time

published Release http server apache 2.4.55 , which is presented 18 Changes and eliminated 3 vulnerability :

    :

    • CVE-2022-37436: an attack on the separation of the responses of HTTP in Mod_PROXY. The backend controlled by the attacking backend can make the answer HTTP-heads so that the headings following the headings will be in the response (for example, this can be discarded by the heading security).
    • CVE-2022-36760: The Mod_Proxy_ajp module is subject to attacks of the HTTP REQUEST SMUGGLING class on the front-line system systems that allow you to wedge into the content of the requests of other users processed in the same stream between the frontnd and the underwear.
    • CVE-2006-20001: the ability to record one zero byte in the area outside the boofer boundaries, manifested during the processing of a specially designed header “IF:”.

      • in Mod_DAV.

    The most noticeable changes that are not related to security:

    • mod_proxy_http2 is translated into a common mechanism for the contents of the answers coming from backens with other proxy modules.
    • Mod_PROXY_HCHECK takes into account the meaning of the TIMUUT, set for work processes.
    • In Mod_HTTP2, the code processing code is partially rewritten. To track the main connection and processing of input/output for requests and answers, the Pollset function from APR (Apache Portable Runtime) is involved. The removal of the initial and final spaces and tabulations in the values ​​of the headings and requests.

      • is ensured.

    • In MOD_PROXY_HCHECK in HCMetHOD, HTTP/1.1 requests are allowed using the GET11, Head11 and Options11 methods. Correct support for support has been ensured
      Ajp/kping.
    • In Mod_authn_core, support for expressions in Authname and Authtype has been added.
    • The MDStorelocks directive designed to block the joint storage to ensure the correct activation of updated certificates while restoring several cluster units.
    • Mod_heartmonitor is allowed to indicate the directive “HeartbetmaxServers 0” for using the file storage instead of SlotMem.
    • DavlockdiscoVry option has been added to Mod_DAV to disconnect the defining webdav.
/Media reports cited above.

© 2025 - Altus Intel