<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-openembedded.git/meta-webserver, branch hardknott</title>
<subtitle>Mirror of git.openembedded.org/meta-openembedded</subtitle>
<id>https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=hardknott</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=hardknott'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/'/>
<updated>2022-04-30T01:43:20+00:00</updated>
<entry>
<title>fix renamed patch</title>
<updated>2022-04-30T01:43:20+00:00</updated>
<author>
<name>kueken</name>
<email>ohnemailadresse@arcor.de</email>
</author>
<published>2022-04-22T21:25:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=786d3aa313e31a718acc9611ba3adb60573ec458'/>
<id>urn:sha1:786d3aa313e31a718acc9611ba3adb60573ec458</id>
<content type='text'>
https://github.com/openembedded/meta-openembedded/commit/427c3e1ed6c1f909638976d74325945b549590cb#diff-b083e2fac146e23597aa0b458dff835d9c1700afce08afedbc17d4ac40728e56
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>apache2: upgrade 2.4.52 -&gt; 2.4.53</title>
<updated>2022-04-16T16:52:52+00:00</updated>
<author>
<name>Yi Zhao</name>
<email>yi.zhao@windriver.com</email>
</author>
<published>2022-03-22T04:46:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=427c3e1ed6c1f909638976d74325945b549590cb'/>
<id>urn:sha1:427c3e1ed6c1f909638976d74325945b549590cb</id>
<content type='text'>
ChangeLog:
https://downloads.apache.org/httpd/CHANGES_2.4.53

Security fixes:
CVE-2022-23943
CVE-2022-22721
CVE-2022-22720
CVE-2022-22719

Refresh patches.

Signed-off-by: Yi Zhao &lt;yi.zhao@windriver.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
(cherry picked from commit 81bbe65791459538ab578ac13e612f7dc6f692f0)
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
(cherry picked from commit d6c8d3a1bad2276001c3bdc09de4dee107357a1d)
[Fixup for hardknott context, overrides]
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>apache2: upgrade 2.4.51 -&gt; 2.4.52</title>
<updated>2022-01-27T15:56:43+00:00</updated>
<author>
<name>wangmy</name>
<email>wangmy@fujitsu.com</email>
</author>
<published>2021-12-27T14:34:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=3775e663cec1d14b92b550270e341928afa2a587'/>
<id>urn:sha1:3775e663cec1d14b92b550270e341928afa2a587</id>
<content type='text'>
Changelog:
==========
 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).

  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
     have an http(s) scheme, and that the ones to be forward proxied have a
     hostname, per HTTP specifications.

  *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
     specified openssl path.

  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
     already sent it to the client.

  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
     response as result of an Expect: 100-Continue in the request and not the
     current status code of the request. PR 65725

  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
     elements and property elements that need to be taken into account
     when generating a property. The document element and property element
     are made available in the dav_liveprop_elem structure by calling
     dav_get_liveprop_element().

  *) mod_dav: Add utility functions dav_validate_root_ns(),
     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
     dav_find_attr() so that other modules get to play too.

  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.

  *) mod_http2: fixes 2 regressions in server limit handling.
     1. When reaching server limits, such as MaxRequestsPerChild, the
        HTTP/2 connection send a GOAWAY frame much too early on new
        connections, leading to invalid protocol state and a client
        failing the request. See PR65731.
        The module now initializes the HTTP/2 protocol correctly and
        allows the client to submit one request before the shutdown
        via a GOAWAY frame is being announced.
     2. A regression in v1.15.24 was fixed that could lead to httpd
        child processes not being terminated on a graceful reload or
        when reaching MaxConnectionsPerChild. When unprocessed h2
        requests were queued at the time, these could stall.
        See &lt;https://github.com/icing/mod_h2/issues/212&gt;.

  *) mod_ssl: Add build support for OpenSSL v3.

  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
     while tunneling.

  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
     half-close forwarding when tunneling protocols.

  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
     a third-party module.  PR 65627.

  *) mod_md: Fix memory leak in case of failures to load the private key.
     PR 65620

  *) mod_md: adding v2.4.8 with the following changes
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `&lt;MDomain dnsname&gt;`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See &lt;https://github.com/icing/mod_md/issues/268&gt;
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.

  *) mod_md: values for External Account Binding (EAB) can
     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.

  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
     PR 65616.

Signed-off-by: Wang Mingyu &lt;wangmy@fujitsu.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
(cherry picked from commit ea76fc643713915a1618597be8bdbe0e4a3d993e)
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>recipes: Update SRC_URI branch and protocols</title>
<updated>2021-11-13T15:45:48+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2021-11-07T18:42:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=7fbb2767186a4db729efe4f440cc9a992f2ab183'/>
<id>urn:sha1:7fbb2767186a4db729efe4f440cc9a992f2ab183</id>
<content type='text'>
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.

Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>Apache: Several CVE fixes</title>
<updated>2021-10-29T04:14:03+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster@mvista.com</email>
</author>
<published>2021-10-28T06:32:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=b7e32131a592520aeac6b6c00aec141818e96168'/>
<id>urn:sha1:b7e32131a592520aeac6b6c00aec141818e96168</id>
<content type='text'>
Source: Apache.org
MR: 113457, 113453
Type: Security Fix
Disposition: Backport from apache.org 2.4.51
ChangeID: 9d7b58f49487baff99bf8f101e53217425a2b81f
Description:

Bug fix only update. LTS version
https://httpd.apache.org/security/vulnerabilities_24.html

Fixes CVEs:
CVE-2021-42013
CVE-2021-41524
CVE-2021-41773

Signed-off-by: Armin Kuster &lt;akuster@mvista.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
Signed-off-by: Changqing Li &lt;changqing.li@windriver.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>apache2: upgrade 2.4.48 -&gt; 2.4.49</title>
<updated>2021-09-26T23:35:31+00:00</updated>
<author>
<name>wangmy</name>
<email>wangmy@fujitsu.com</email>
</author>
<published>2021-09-22T13:15:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=f44e1a2b575826e88b8cb2725e54a7c5d29cf94a'/>
<id>urn:sha1:f44e1a2b575826e88b8cb2725e54a7c5d29cf94a</id>
<content type='text'>
Changes with Apache 2.4.49

  *) SECURITY: CVE-2021-40438 (cve.mitre.org)
     mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]

  *) SECURITY: CVE-2021-39275 (cve.mitre.org)
     core: ap_escape_quotes buffer overflow

  *) SECURITY: CVE-2021-36160 (cve.mitre.org)
     mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]

  *) SECURITY: CVE-2021-34798 (cve.mitre.org)
     core: null pointer dereference on malformed request

  *) SECURITY: CVE-2021-33193 (cve.mitre.org)
     mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]

  *) core/mod_proxy/mod_ssl:
     Adding `outgoing` flag to conn_rec, indicating a connection is
     initiated by the server to somewhere, in contrast to incoming
     connections from clients.
     Adding 'ap_ssl_bind_outgoing()` function that marks a connection
     as outgoing and is used by mod_proxy instead of the previous
     optional function `ssl_engine_set`. This enables other SSL
     module to secure proxy connections.
     The optional functions `ssl_engine_set`, `ssl_engine_disable` and
     `ssl_proxy_enable` are now provided by the core to have backward
     compatibility with non-httpd modules that might use them. mod_ssl
     itself no longer registers these functions, but keeps them in its
     header for backward compatibility.
     The core provided optional function wrap any registered function
     like it was done for `ssl_is_ssl`.
     [Stefan Eissing]

  *) mod_ssl: Support logging private key material for use with
     wireshark via log file given by SSLKEYLOGFILE environment
     variable.  Requires OpenSSL 1.1.1.  PR 63391.  [Joe Orton]

  *) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
     "ProxyPassInterpolateEnv On" are configured.  PR 65549.
     [Joel Self &lt;joelself gmail.com&gt;]

  *) mpm_event: Fix children processes possibly not stopped on graceful
     restart.  PR 63169.  [Joel Self &lt;joelself gmail.com&gt;]

  *) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
     protocols from mod_proxy_http, and a timeout triggering falsely when
     using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
     upgrade= setting.  PRs 65521 and 65519.  [Yann Ylavic]

  *) mod_unique_id: Reduce the time window where duplicates may be generated
     PR 65159
     [Christophe Jaillet]

  *) mpm_prefork: Block signals for child_init hooks to prevent potential
     threads created from there to catch MPM's signals.
     [Ruediger Pluem, Yann Ylavic]

  *) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
     PR 65159" added in 2.4.47.
     This causes issue on Windows.
     [Christophe Jaillet]

  *) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.  [Yann Ylavic]

  *) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
     as successful or a staged renewal is replacing the existing certificates.
     This avoid potential mess ups in the md store file system to render the active
     certificates non-working. [@mkauf]

  *) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
     [Yann Ylavic]

  *) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
     connections. If ALPN protocols are provided and sent to the
     remote server, the received protocol selected is inspected
     and checked for a match. Without match, the peer handshake
     fails.
     An exception is the proposal of "http/1.1" where it is
     accepted if the remote server did not answer ALPN with
     a selected protocol. This accomodates for hosts that do
     not observe/support ALPN and speak http/1.x be default.

  *) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
     with others when their URLs contain a '$' substitution.  PR 65419 + 65429.
     [Yann Ylavic]

  *) mod_dav: Add method_precondition hook. WebDAV extensions define
     conditions that must exist before a WebDAV method can be executed.
     This hook allows a WebDAV extension to verify these preconditions.
     [Graham Leggett]

  *) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
     modules apart from versioning implementations to handle the REPORT method.
     [Graham Leggett]

  *) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
     dav_get_resource() to mod_dav.h. [Graham Leggett]

  *) core: fix ap_escape_quotes substitution logic. [Eric Covener]

  *) Easy patches: synch 2.4.x and trunk
     - mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
     - mod_ldap: log and abort locking errors.
     - mod_ldap: style fix for r1831165
     - mod_ldap: build break fix for r1831165
     - mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
     - mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
     - mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
     - mod_rewrite: Save a few cycles.
     - mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
     - core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
    [Christophe Jaillet]

  *) core/mpm: add hook 'child_stopping` that gets called when the MPM is
     stopping a child process. The additional `graceful` parameter allows
     registered hooks to free resources early during a graceful shutdown.
     [Yann Ylavic, Stefan Eissing]

  *) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
     balancer-manager, which can lead to a crash.  [Yann Ylavic]

  *) mpm_event: Fix graceful stop/restart of children processes if connections
     are in lingering close for too long.  [Yann Ylavic]

  *) mod_md: fixed a potential null pointer dereference if ACME/OCSP
     server returned 2xx responses without content type. Reported by chuangwen.
     [chuangwen, Stefan Eissing]

  *) mod_md:
     - Domain names in `&lt;MDomain ...&gt;` can now appear in quoted form.
     - Fixed a failure in ACME challenge selection that aborted further searches
       when the tls-alpn-01 method did not seem to be suitable.
     - Changed the tls-alpn-01 setup to only become unsuitable when none of the
       dns names showed support for a configured 'Protocols ... acme-tls/1'. This
       allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
     [Stefan Eissing]

  *) Add CPING to health check logic. [Jean-Frederic Clere]

  *) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]

  *) core, h2: common ap_parse_request_line() and ap_check_request_header()
     code. [Yann Ylavic]

  *) core: Add StrictHostCheck to allow unconfigured hostnames to be
     rejected. [Eric Covener]

  *) htcacheclean: Improve help messages.  [Christophe Jaillet]

Signed-off-by: Wang Mingyu &lt;wangmy@fujitsu.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
(cherry picked from commit 54a96fa4feb1a7712f9f3d1190c0d95d89eb6c7c)
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>nginx: fix CVE-2021-3618</title>
<updated>2021-09-03T01:25:42+00:00</updated>
<author>
<name>Joe Slater</name>
<email>joe.slater@windriver.com</email>
</author>
<published>2021-09-02T21:19:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=262d9bd0d038e5479a433c00def2389d7c3f1429'/>
<id>urn:sha1:262d9bd0d038e5479a433c00def2389d7c3f1429</id>
<content type='text'>
Apply patch made to version 1.20.1 to version 1.18.0.

Signed-off-by: Joe Slater &lt;joe.slater@windriver.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>apache2: upgrade 2.4.46 -&gt; 2.4.48</title>
<updated>2021-09-03T01:22:44+00:00</updated>
<author>
<name>Changqing Li</name>
<email>changqing.li@windriver.com</email>
</author>
<published>2021-08-02T02:09:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=4b28324739d949e1d65c278fbab873d590f233f4'/>
<id>urn:sha1:4b28324739d949e1d65c278fbab873d590f233f4</id>
<content type='text'>
Source: https://git.openembedded.org/meta-openembedded
https://git.openembedded.org/meta-openembedded
MR: 112869, 112835, 105131, 112702, 112829
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/apache2?id=ba016d73b5233a43ec6e398b45445d13ddaad745
ChangeID: f3ac0bc1005c94a694573b823c8f3f7d4a15360c
Description:

Apache2 2.4.x is an LTS version with bug and CVE fixes.
https://downloads.apache.org/httpd/CHANGES_2.4.48

Includes these CVE fixes:

2.4.48
CVE-2021-31618

2.4.47
CVE-2020-13938
CVE-2020-11985
CVE-2021-33193
CVE-2019-17567

Drop these patches included in update:
CVE-2020-13950.patch
CVE-2020-35452.patch
CVE-2021-26690.patch
CVE-2021-26691.patch
CVE-2021-30641.patch

Signed-off-by: Changqing Li &lt;changqing.li@windriver.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
(cherry picked from commit ba016d73b5233a43ec6e398b45445d13ddaad745)
Signed-off-by: Armin Kuster &lt;akuster@mvista.com&gt;
</content>
</entry>
<entry>
<title>hiawatha: fix url.</title>
<updated>2021-07-24T15:22:45+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2021-07-24T15:22:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=76a6070e6886fc7d623742bf0f7c4167b8b8dae8'/>
<id>urn:sha1:76a6070e6886fc7d623742bf0f7c4167b8b8dae8</id>
<content type='text'>
files moved under a new dir structure.

Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>apache2: fix CVE-2020-13950 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641</title>
<updated>2021-07-10T18:20:05+00:00</updated>
<author>
<name>Li Wang</name>
<email>li.wang@windriver.com</email>
</author>
<published>2021-07-08T09:04:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=70b1aa0a4cd4bfd08b6c8d36a76f9b7cf20d61a6'/>
<id>urn:sha1:70b1aa0a4cd4bfd08b6c8d36a76f9b7cf20d61a6</id>
<content type='text'>
CVE-2020-13950:
Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be
made to crash (NULL pointer dereference) with specially crafted
requests using both Content-Length and Transfer-Encoding headers,
leading to a Denial of Service

References:
https://nvd.nist.gov/vuln/detail/CVE-2020-13950

Upstream patches:
https://bugzilla.redhat.com/show_bug.cgi?id=1966738
https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b

CVE-2020-35452:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially
crafted Digest nonce can cause a stack overflow in
mod_auth_digest. There is no report of this overflow
being exploitable, nor the Apache HTTP Server team could
create one, though some particular compiler and/or
compilation option might make it possible, with limited
consequences anyway due to the size (a single byte) and
the value (zero byte) of the overflow

References:
https://nvd.nist.gov/vuln/detail/CVE-2020-35452

Upstream patches:
https://security-tracker.debian.org/tracker/CVE-2020-35452
https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b

CVE-2021-26690:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially
crafted Cookie header handled by mod_session can cause
a NULL pointer dereference and crash, leading to a
possible Denial Of Service

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26690

Upstream patches:
https://security-tracker.debian.org/tracker/CVE-2021-26690
https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8

CVE-2021-26691:
In Apache HTTP Server versions 2.4.0 to 2.4.46 a
specially crafted SessionHeader sent by an origin server
could cause a heap overflow

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26691

Upstream patches:
https://bugzilla.redhat.com/show_bug.cgi?id=1966732
https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b

CVE-2021-30641:
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected
matching behavior with 'MergeSlashes OFF'

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-30641

Upstream patches:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641
https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3

Signed-off-by: Li Wang &lt;li.wang@windriver.com&gt;
Signed-off-by: Changqing Li &lt;changqing.li@windriver.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
</feed>
