What is package httpd-2.4.58, the Apache HTTP Server 2.4.58? KEYWORDS: Xinuoshttpd-2.4.58 Apache HTTP Server 2.4.58 RELEASE: version 2.4.58 of the Apache HTTP Server ("Apache"). Apache 2.4 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.2 please see: https://httpd.apache.org/docs/trunk/new_features_2_4.html Note: this release of Xinuoshttpd-2.4.58 is just apache. No add on modules, only modules in the base. Changes since Xinuoshttpd-2.4.53 -------------------------------- After running /opt/xinuos/sbin/setup-httpd.sh Apache is now configured for vhosts. Just put your config files in /etc/opt/xinuos/httpd/vhosts Security Fixes -------------- Fixed in Apache HTTP Server 2.4.58 low: mod_macro buffer over-read (CVE-2023-31122) Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. Acknowledgements: finder: David Shoon (github/davidshoon) Update 2.4.58 released 2023-10-19 Affects <=2.4.57 low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 (CVE-2023-43622) An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Acknowledgements: + finder: Prof. Sven Dietrich (City University of New York) + finder: Isa Jafarov (City University of New York) + finder: Prof. Heejo Lee (Korea University) + finder: Choongin Lee (Korea University) Reported to security team 2023-09-15 Update 2.4.58 released 2023-10-19 Affects <=2.4.57 moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (CVE-2023-45802) When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Acknowledgements: + finder: Will Dormann of Vul Labs + finder: David Warren of Vul Labs Reported to security team 2023-10-12 Update 2.4.58 released 2023-10-19 Affects <=2.4.57 Fixed in Apache HTTP Server 2.4.56 important: HTTP request splitting with mod_rewrite and mod_proxy (CVE-2023-25690) Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Acknowledgements: finder: Lars Krapf of Adobe Reported to security team 2023-02-02 fixed by r1908095 in 2.4.x 2023-03-07 Update 2.4.56 released 2023-03-07 Affects <=2.4.55 moderate: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522) HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Acknowledgements: finder: Dimas Fariski Setyawan Putra (nyxsorcerer) Reported to security team 2023-01-29 fixed by r1908094 in 2.4.x 2023-03-07 Update 2.4.56 released 2023-03-07 Affects <=2.4.55 Fixed in Apache HTTP Server 2.4.55 moderate: mod_dav out of bounds read, or write of zero byte (CVE-2006-20001) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. Described in first edition of "The Art of Software Security Assessment" 2006-10-31 Reported to security team 2022-08-10 Update 2.4.55 released 2023-01-17 Affects <=2.4.54 moderate: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (CVE-2022-36760) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Acknowledgements: finder: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group Reported to security team 2022-07-12 Update 2.4.55 released 2023-01-17 Affects <=2.4.54 moderate: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (CVE-2022-37436) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Acknowledgements: finder: Dimas Fariski Setyawan Putra (@nyxsorcerer) Reported to security team 2022-07-14 Update 2.4.55 released 2023-01-17 Affects <2.4.55 Fixed in Apache HTTP Server 2.4.54 moderate: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. Acknowledgements: Ricter Z @ 360 Noah Lab Reported to security team 2022-03-02 Update 2.4.54 released 2022-06-08 Affects <=2.4.53 low: read beyond bounds in mod_isapi (CVE-2022-28330) Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Acknowledgements: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue Update 2.4.54 released 2022-06-08 Affects <=2.4.53 low: read beyond bounds via ap_rwrite() (CVE-2022-28614) The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the "ap_rputs" function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue. Acknowledgements: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue Update released in 2.4.54 2022-06-08 Affects <=2.4.53 low: Read beyond bounds in ap_strcmp_match() (CVE-2022-28615) Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Acknowledgements: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue Update 2.4.54 released 2022-06-08 Affects <=2.4.53 low: Denial of service in mod_lua r:parsebody (CVE-2022-29404) In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Acknowledgements: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue Update 2.4.54 released 2022-06-08 Affects <=2.4.53 low: mod_sed denial of service (CVE-2022-30522) If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Acknowledgements: This issue was found by Brian Moussalli from the JFrog Security Research team Update 2.4.54 released 2022-06-08 Affects 2.4.53 low: Information Disclosure in mod_lua with websockets (CVE-2022-30556) Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Acknowledgements: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue Update 2.4.54 released 2022-06-08 Affects <=2.4.53 low: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813) Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Acknowledgements: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue Update 2.4.54 released 2022-06-08 Affects <=2.4.53 See complete ChangeLog at https://downloads.apache.org/httpd/CHANGES_2.4 ---------------------------------------------------------- Known Issues ------------ When you start apache on OpenServer 6D2M1 with the default config files, you may see a message like this. # /etc/init.d/httpd start Starting Apache 2.4 (httpd): AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using www.example.com. Set the 'ServerName' directive globally to suppress this message To fix, either set the 'ServerName' directive like the message says or take a tip from UnixWare and change /etc/hosts to have "IP FQDN hostname" not "IP hostname FQDN" ---------------------------------------------------------- I. Software Notes and Recommendations Xinuoshttpd should only be installed on: UnixWare 7 Definitive D2M1 with all current patches or SCO OpenServer 6 Definitive D2M1 with all current patches. Notes about SSL Certs --------------------- If using your own SSL certificates, please set them up before installing the package. For the packages that use certificates, Xinuos provides /etc/ssl/certs/xinuos-ca-bundle.crt which is copied to /etc/ssl/certs/ca-bundle.crt if it does not exist. /etc/ssl/certs/ca-bundle.crt is the file the packages will use. From time to time an updated package may provide a newer xinuos-ca-bundle.crt but it is the sysadmin's responsibility to keep ca-bundle.crt up to date. For the packages that use certificates, the /opt/xinuos/sbin/setup-.sh programs have hooks in them to use a real certificate and key if you have one. If it finds files (or symbolic links) named /etc/ssl/certs/hostcert.pem and /etc/ssl/private/hostkey.pem, it will configure the package to use those, otherwise it will generate a self-signed cert. ---------------------------------------------------------- II. Installation Instructions To install httpd-2.4.58 follow these steps: 1. Login as root 2. Download the Xinuoshttpd-2.4.58-UnixWare-i386.pkg.gz file and optionally the Xinuoshttpd-dev-2.4.58-UnixWare-i386.pkg.gz file to the /tmp directory on your machine. 3. After the download is complete, change to /tmp and run the following to command to verify the integrity of the download: openssl sha256 Xinuoshttpd-2.4.58-UnixWare-i386.pkg.gz openssl sha256 Xinuoshttpd-dev-2.4.58-UnixWare-i386.pkg.gz The output should be: SHA256 (Xinuoshttpd-2.4.58-UnixWare-i386.pkg.gz) = 4710f7b0bff47d5004fdf6caeefdb2b4a76e203ad8f4407a0ab0514284c88fcd SHA256 (Xinuoshttpd-dev-2.4.58-UnixWare-i386.pkg.gz) = 134815c938d22c3296e0ba30d4ff51c12092809885d5cb8782b8c5de23437a11 4. After verifying the sums match, As root, add the package to your system using these commands: $ su - Password: # gzcat Xinuoshttpd-2.4.58-UnixWare-i386.pkg.gz | pkgadd -d - Alternatively, this package may be installed in quiet mode by using these commands: $ su - Password: # gzcat Xinuoshttpd-2.4.58-UnixWare-i386.pkg.gz | pkgadd -qd - all If you are doing software development on Apache modules, repeat the steps for Xinuoshttpd-dev-2.4.58-UnixWare-i386.pkg.gz 5. Installation of package httpd-2.4.58 is now complete. 6. Once the installation has completed, you can remove or archive the httpd-2.4.58 file Xinuoshttpd-2.4.58-UnixWare-i386.pkg.gz downloaded in step 2. 7. /opt/xinuos/sbin/setup-httpd.sh will install config files in /etc/opt/xinuos/httpd. "/etc/init.d/httpd start" will start the web server. "/etc/init.d/httpd stop" will stop the web server. If you want web server to start on boot, edit /etc/opt/xinuos/httpd/httpd.options and change ONBOOT to yes. 8. If appropriate you can disable the old web server from starting on boot with (7D) "/etc/init.d/apache disable" (6D) "/etc/apache disable" or "/etc/apache2 disable". ---------------------------------------------------------- III. Removal Instructions Note: Packages must be removed in the reverse order in which they were installed due to dependencies. 1. As root, remove the package using these commands: $ su - Password: # pkginfo -q Xinuoshttpd-dev && pkgrm Xinuoshttpd-dev # pkgrm Xinuoshttpd If you have questions regarding this package, or the product on which it is installed, please contact your software supplier. ------------------------------------------------------------------------------- (C) Copyright 2023 Xinuos, Inc. All Rights Reserved.