Author: covener
Date: Thu Apr 4 13:52:54 2024
New Revision: 1916800
URL: http://svn.apache.org/viewvc?rev=1916800&view=rev
Log:
publishing release httpd-2.4.59
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/NOTICE
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/docs/manual/style/version.ent
httpd/httpd/branches/2.4.x/include/ap_release.h
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1916800&r1=1916799&r2=1916800&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Apr 4 13:52:54 2024
@@ -1,6 +1,35 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.60
+
Changes with Apache 2.4.59
+ *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
+ memory exhaustion on endless continuation frames (cve.mitre.org)
+ HTTP/2 incoming headers exceeding the limit are temporarily
+ buffered in nghttp2 in order to generate an informative HTTP 413
+ response. If a client does not stop sending headers, this leads
+ to memory exhaustion.
+ Credits: Bartek Nowotarski (https://nowotarski.info/)
+
+ *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
+ Splitting in multiple modules (cve.mitre.org)
+ HTTP Response splitting in multiple modules in Apache HTTP
+ Server allows an attacker that can inject malicious response
+ headers into backend applications to cause an HTTP
+ desynchronization attack.
+ Users are recommended to upgrade to version 2.4.59, which fixes
+ this issue.
+ Credits: Keran Mu, Tsinghua University and Zhongguancun
+ Laboratory.
+
+ *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
+ splitting (cve.mitre.org)
+ Faulty input validation in the core of Apache allows malicious
+ or exploitable backend/content generators to split HTTP
+ responses.
+ This issue affects Apache HTTP Server: through 2.4.58.
+ Credits: Orange Tsai (@orange_8361) from DEVCORE
+
*) mod_deflate: Fixes and better logging for handling various
error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
Eric Norris <enorris etsy.com>]
Modified: httpd/httpd/branches/2.4.x/NOTICE
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/NOTICE?rev=1916800&r1=1916799&r2=1916800&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/NOTICE (original)
+++ httpd/httpd/branches/2.4.x/NOTICE Thu Apr 4 13:52:54 2024
@@ -1,5 +1,5 @@
Apache HTTP Server
-Copyright 2023 The Apache Software Foundation.
+Copyright 2024 The Apache Software Foundation.
This product includes software developed at
The Apache Software Foundation (https://www.apache.org/).
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1916800&r1=1916799&r2=1916800&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Thu Apr 4 13:52:54 2024
@@ -29,7 +29,8 @@ Release history:
[.NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
while x.{even}.z versions are Stable/GA releases.]
- 2.4.59 : In development
+ 2.4.60 : In development
+ 2.4.59 : Released on April 04, 2024
2.4.58 : Released on October 19, 2023
2.4.57 : Released on April 06, 2023
2.4.56 : Released on March 07, 2023
Modified: httpd/httpd/branches/2.4.x/docs/manual/style/version.ent
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/style/version.ent?rev=1916800&r1=1916799&r2=1916800&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/style/version.ent (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/style/version.ent Thu Apr 4 13:52:54 2024
@@ -19,6 +19,6 @@
<!ENTITY httpd.major "2">
<!ENTITY httpd.minor "4">
-<!ENTITY httpd.patch "59">
+<!ENTITY httpd.patch "60">
<!ENTITY httpd.docs "2.4">
Modified: httpd/httpd/branches/2.4.x/include/ap_release.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/ap_release.h?rev=1916800&r1=1916799&r2=1916800&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/include/ap_release.h (original)
+++ httpd/httpd/branches/2.4.x/include/ap_release.h Thu Apr 4 13:52:54 2024
@@ -43,7 +43,7 @@
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 4
-#define AP_SERVER_PATCHLEVEL_NUMBER 59
+#define AP_SERVER_PATCHLEVEL_NUMBER 60
#define AP_SERVER_DEVBUILD_BOOLEAN 1
/* Synchronize the above with docs/manual/style/version.ent */
Date: Thu Apr 4 13:52:54 2024
New Revision: 1916800
URL: http://svn.apache.org/viewvc?rev=1916800&view=rev
Log:
publishing release httpd-2.4.59
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/NOTICE
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/docs/manual/style/version.ent
httpd/httpd/branches/2.4.x/include/ap_release.h
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1916800&r1=1916799&r2=1916800&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Apr 4 13:52:54 2024
@@ -1,6 +1,35 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.60
+
Changes with Apache 2.4.59
+ *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
+ memory exhaustion on endless continuation frames (cve.mitre.org)
+ HTTP/2 incoming headers exceeding the limit are temporarily
+ buffered in nghttp2 in order to generate an informative HTTP 413
+ response. If a client does not stop sending headers, this leads
+ to memory exhaustion.
+ Credits: Bartek Nowotarski (https://nowotarski.info/)
+
+ *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
+ Splitting in multiple modules (cve.mitre.org)
+ HTTP Response splitting in multiple modules in Apache HTTP
+ Server allows an attacker that can inject malicious response
+ headers into backend applications to cause an HTTP
+ desynchronization attack.
+ Users are recommended to upgrade to version 2.4.59, which fixes
+ this issue.
+ Credits: Keran Mu, Tsinghua University and Zhongguancun
+ Laboratory.
+
+ *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
+ splitting (cve.mitre.org)
+ Faulty input validation in the core of Apache allows malicious
+ or exploitable backend/content generators to split HTTP
+ responses.
+ This issue affects Apache HTTP Server: through 2.4.58.
+ Credits: Orange Tsai (@orange_8361) from DEVCORE
+
*) mod_deflate: Fixes and better logging for handling various
error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
Eric Norris <enorris etsy.com>]
Modified: httpd/httpd/branches/2.4.x/NOTICE
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/NOTICE?rev=1916800&r1=1916799&r2=1916800&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/NOTICE (original)
+++ httpd/httpd/branches/2.4.x/NOTICE Thu Apr 4 13:52:54 2024
@@ -1,5 +1,5 @@
Apache HTTP Server
-Copyright 2023 The Apache Software Foundation.
+Copyright 2024 The Apache Software Foundation.
This product includes software developed at
The Apache Software Foundation (https://www.apache.org/).
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1916800&r1=1916799&r2=1916800&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Thu Apr 4 13:52:54 2024
@@ -29,7 +29,8 @@ Release history:
[.NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
while x.{even}.z versions are Stable/GA releases.]
- 2.4.59 : In development
+ 2.4.60 : In development
+ 2.4.59 : Released on April 04, 2024
2.4.58 : Released on October 19, 2023
2.4.57 : Released on April 06, 2023
2.4.56 : Released on March 07, 2023
Modified: httpd/httpd/branches/2.4.x/docs/manual/style/version.ent
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/style/version.ent?rev=1916800&r1=1916799&r2=1916800&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/style/version.ent (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/style/version.ent Thu Apr 4 13:52:54 2024
@@ -19,6 +19,6 @@
<!ENTITY httpd.major "2">
<!ENTITY httpd.minor "4">
-<!ENTITY httpd.patch "59">
+<!ENTITY httpd.patch "60">
<!ENTITY httpd.docs "2.4">
Modified: httpd/httpd/branches/2.4.x/include/ap_release.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/ap_release.h?rev=1916800&r1=1916799&r2=1916800&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/include/ap_release.h (original)
+++ httpd/httpd/branches/2.4.x/include/ap_release.h Thu Apr 4 13:52:54 2024
@@ -43,7 +43,7 @@
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 4
-#define AP_SERVER_PATCHLEVEL_NUMBER 59
+#define AP_SERVER_PATCHLEVEL_NUMBER 60
#define AP_SERVER_DEVBUILD_BOOLEAN 1
/* Synchronize the above with docs/manual/style/version.ent */