Website broken following migration to greenby
@plusnettony wrote:
I am taking a further look into this and will provide updates shortly.
Thank you, but ...
... exactly how shortly is shortly given the length of loss-of-service so far 
I do, of course, fully understand that this issue is most definitely not your fault and and neither is the ridiculous delay in resolving it. You are simply the poor b*gger who has his head above the parapet while the guilty ones hide in the dark corners of a back office somewhere as per bleedin' usual and take absolutely no responsibility for their actions or blatant lack thereof as the case may be 
This should be resolved - looks ok on testing.
It was thought that nobody used this feature.
Security was raised and assurance provided.
The mix up between Force9/Plusnet seems to related to a problem which was resolved months ago.
I hope, going forward, all is well.
Thank you @plusnettony Current status of the specific problems discussed in the thread:
A full and detailed technical explanation for these two significant problems is now required as a matter of urgency. There are numerous other short-lived issues (typ < 10 minutes) recorded on all F9/PN A/Cs (PN hosted as well as Greenby hosted) at various times which I'm just ignoring for now in order to focus on the more significant problems which were experienced and not exactly resolved in a timely manner.
It needs to be ascertained whether these issues were down to:
- PN or Greenby (if not both !)
- The specific server allocated to the A/C
- A change in server IP
- Server configuration in general
- Apache configuration in particular
- Incompetence or data mis-management during A/C migration(s)
In addition, I note that Ye Olde Apache Version 2.4.58 which was apparently released 19/10/2023 is still being used. Why is this when there are quite so many publicly announced problems, vulnerabilities and security issues with non-current versions, all of which were fixed in Version 2.4.66 which was apparently released 04/12/2025.
I just cannot in any way understand why on earth a 'new' company is apparently setting up 'new' customers on some allegedly 'new' system but is currently using such relatively ancient software 
Is this going to end up as a movie about some 12-year-olds who've found a bunch of servers in a skip behind an IT recycling warehouse and are setting this up in their parents' garage perhaps 
Because whilst that kinda thing may well have worked out quite well for the likes of Gates, Bezos and Zuckerburg et al, it's far from guaranteed to work in general as countless thousands of others would no doubt be able to confirm from much personal experience with trying !
Given my very positive experiences with a different ENIX brand, I'm seriously disappointed with what Greenby are providing, how they are doing it and with all the apparent issues that PN customers have been having with their migration in general 
So much so that it will inevitably be influencing my decisions on future hosting contracts. I very much regret suggesting to other customers that things will be so much better once email and webspace is finally migrated away from PN. Rather foolishly with hindsight, I just assumed that we'd all end up with a service much the same as that I was currently experiencing eventually, albeit one with restricted functionality or performance. I was most certainly not expecting the dog's dinner that we seem to have been served no matter who or what is responsible for it's creation.
However, the all-important Question Of The Day is: Just how many well known problems does there need to be before antique software applications are actually updated to more current and hopefully somewhat less bug-ridden versions ? Answers ... on a postcard of course ... because my email is, shall we say, more than a little cranky and unreliable at times plus my website may or may not be working should you try to contact me that way instead
[QUOTE]
Changes with Apache 2.4.66
*) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
bypass via AllowOverride FileInfo (cve.mitre.org)
mod_userdir+suexec bypass via AllowOverride FileInfo
vulnerability in Apache HTTP Server. Users with access to use
the RequestHeader directive in htaccess can cause some CGI
scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through
2.4.65.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Mattias Åsander (Umeå University)
*) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
variable override (cve.mitre.org)
Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability in Apache HTTP Server through environment
variables set via the Apache configuration unexpectedly
superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes
the issue.
Credits: Mattias Åsander (Umeå University)
*) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
Windows through UNC SSRF (cve.mitre.org)
Server-Side Request Forgery (SSRF) vulnerability
 in Apache HTTP Server on Windows
with AllowEncodedSlashes On and MergeSlashes Off allows to
potentially leak NTLM
hashes to a malicious server via SSRF and malicious requests or
content
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
Includes adds query string to #exec cmd=... (cve.mitre.org)
Apache HTTP Server 2.4.65 and earlier with Server Side Includes
(SSI) enabled and mod_cgid (but not mod_cgi) passes the
shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Anthony Parfenov (United Rentals, Inc.)
*) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
unintended retry intervals (cve.mitre.org)
An integer overflow in the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to
renew the certificate then are repeated without delays until it
succeeds.
This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Aisle Research
*) mod_http2: Fix handling of 304 responses from mod_cache. PR 69580.
[Stefan Eissing]
*) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
integers, used in push diaries and proxy window size calculations.
PR69741 [Benjamin P. Kallus]
*) mod_md: update to version 2.6.5
- New directive `MDInitialDelay`, controlling how longer to wait after
a server restart before checking certificates for renewal.
[Michael Kaufmann]
- Hardening: when build with OpenSSL older than 1.0.2 or old libressl
versions, the parsing of ASN.1 time strings did not do a length check.
- Hardening: when reading back OCSP responses stored in the local JSON
store, missing 'valid' key led to uninitialized values, resulting in
wrong refresh behaviour.
*) mod_md: update to version 2.6.6
- Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler]
- Fix reuse of curl easy handles by resetting them. [Michael Kaufmann]
*) mod_http2: update to version 2.0.35
New directive `H2MaxStreamErrors` to control how much bad behaviour
by clients is tolerated before the connection is closed.
[Stefan Eissing]
* mod_proxy_http2: add support for ProxyErrorOverride directive. PR69771
*) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify
the value set for the TCP_DEFER_ACCEPT socket option on listen sockets.
[Ruediger Pluem]
*) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual
host compatibility policy. PR 69743. [Joe Orton]
*) mod_md: update to version 2.6.2
- Fix error retry delay calculation to not already doubling the wait
on the first error.
*) mod_md: update to version 2.6.1
- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
- Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
- Fix a bug in checking Content-Type of responses from the ACME server.
- Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this.
- Removing tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.
- Fixed a compilation issue with pre-industrial versions of libcurl.
Changes with Apache 2.4.65
*) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr'
always evaluates to true in 2.4.64 (cve.mitre.org)
A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond
expr ..." tests evaluating as "true".
Users are recommended to upgrade to version 2.4.65, which fixes
the issue.
Changes with Apache 2.4.64
*) SECURITY: CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by
Memory Increase (cve.mitre.org)
Late Release of Memory after Effective Lifetime vulnerability in
Apache HTTP Server.
This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.
Users are recommended to upgrade to version 2.4.64, which fixes
the issue.
Credits: Gal Bar Nahum
*) SECURITY: CVE-2025-49812: Apache HTTP Server: mod_ssl TLS
upgrade attack (cve.mitre.org)
In some mod_ssl configurations on Apache HTTP Server versions
through to 2.4.63, an HTTP desynchronisation attack allows a
man-in-the-middle attacker to hijack an HTTP session via a TLS
upgrade.
Only configurations using "SSLEngine optional" to enable TLS
upgrades are affected. Users are recommended to upgrade to
version 2.4.64, which removes support for TLS upgrade.
Credits: Robert Merget (Technology Innovation Institute)
*) SECURITY: CVE-2025-49630: Apache HTTP Server: mod_proxy_http2
denial of service (cve.mitre.org)
In certain proxy configurations, a denial of service attack
against Apache HTTP Server versions 2.4.26 through to 2.4.63
can be triggered by untrusted clients causing an assertion in
mod_proxy_http2.
Configurations affected are a reverse proxy is configured for an
HTTP/2 backend, with ProxyPreserveHost set to "on".
Credits: Anthony CORSIEZ
*) SECURITY: CVE-2025-23048: Apache HTTP Server: mod_ssl access
control bypass with session resumption (cve.mitre.org)
In some mod_ssl configurations on Apache HTTP Server 2.4.35
through to 2.4.62, an access control bypass by trusted clients
is possible using TLS 1.3 session resumption.
Configurations are affected when mod_ssl is configured for
multiple virtual hosts, with each restricted to a different set
of trusted client certificates (for example with a different
SSLCACertificateFile/Path setting). In such a case, a client
trusted to access one virtual host may be able to access another
virtual host, if SSLStrictSNIVHostCheck is not enabled in either
virtual host.
Credits: Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy,
and Juraj Somorovsky at Paderborn University
*) SECURITY: CVE-2024-47252: Apache HTTP Server: mod_ssl error log
variable escaping (cve.mitre.org)
Insufficient escaping of user-supplied data in mod_ssl in Apache
HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS
client to insert escape characters into log files in some
configurations.
In a logging configuration where CustomLog is used with
"%{varname}x" or "%{varname}c" to log variables provided by
mod_ssl such as SSL_TLS_SNI, no escaping is performed by either
mod_log_config or mod_ssl and unsanitized data provided by the
client may appear in log files.
Credits: John Runyon
*) SECURITY: CVE-2024-43394: Apache HTTP Server: SSRF on Windows
due to UNC paths (cve.mitre.org)
Server-Side Request Forgery (SSRF) in Apache HTTP Server on
Windows allows to potentially leak NTLM hashes to a malicious
server via
mod_rewrite or apache expressions that pass unvalidated request
input.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.
Note: The Apache HTTP Server Project will be setting a higher
bar for accepting vulnerability reports regarding SSRF via UNC
paths.
The server offers limited protection against administrators
directing the server to open UNC paths.
Windows servers should limit the hosts they will connect over
via SMB based on the nature of NTLM authentication.
Credits: Kainan Zhang (@4xpl0r3r) from Fortinet
*) SECURITY: CVE-2024-43204: Apache HTTP Server: SSRF with
mod_headers setting Content-Type header (cve.mitre.org)
SSRF in Apache HTTP Server with mod_proxy loaded allows an
attacker to send outbound proxy requests to a URL controlled by
the attacker. Requires an unlikely configuration where
mod_headers is configured to modify the Content-Type request or
response header with a value provided in the HTTP request.
Users are recommended to upgrade to version 2.4.64 which fixes
this issue.
*) SECURITY: CVE-2024-42516: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
HTTP response splitting in the core of Apache HTTP Server allows
an attacker who can manipulate the Content-Type response headers
of applications hosted or proxied by the server can split the
HTTP response.
This vulnerability was described as CVE-2023-38709 but the patch
included in Apache HTTP Server 2.4.59 did not address the issue.
Users are recommended to upgrade to version 2.4.64, which fixes
this issue.
Credits: xiaojunjie@安æ’ä¿¡æ¯æ州市滨江区技能大师工作室
*) mod_proxy_ajp: Use iobuffersize set on worker level for the IO buffer
size. PR 69402 [Jari Ahonen <jah@progress.com>]
*) mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5
builds which enable it in libssl natively. [Joe Orton]
*) mod_asis: Fix the log level of the message AH01236.
Github #527 [Michael Kaufmann <mail michael-kaufmann.ch>]
*) mod_session_dbd: ensure format used with SessionDBDCookieName and
SessionDBDCookieName2 are correct.
Github #503 [Thomas Meyer <thomas m3y3r.de>]
*) mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could
inadvertently modify the Content-Type _response_ header. Applies to
Content-Type only and likely to only affect static file responses.
[Eric Covener]
*) mod_ssl: Remove warning over potential uninitialised value
for ssl protocol prior to protocol selection.
[Graham Leggett]
*) mod_proxy: Reuse ProxyRemote connections when possible, like prior
to 2.4.59. [Jean-Frederic Clere, Yann Ylavic]
*) mod_systemd: Add systemd socket activation support. [Paul Querna,
Jan Kaluza, Lubos Uhliarik <luhliari redhat.com>, Joe Orton]
*) mod_systemd: Log the SELinux context at startup if available and
enabled. [Joe Orton]
*) mod_http2: update to version 2.0.32
The code setting the connection window size was set wrong,
preventing `H2WindowSize` to work.
Fixed <https://github.com/icing/mod_h2/issues/300>.
[Stefan Eissing, Michael Kaufmann]
*) mod_http2: update to version 2.0.30
- Fixed bug in handling over long response headers. When the 64 KB limit
of nghttp2 was exceeded, the request was not reset and the client was
left hanging, waiting for it. Now the stream is reset.
- Added new directive `H2MaxHeaderBlockLen` to set the limit on response
header sizes.
- Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
connection was reset.
*) mod_lua: Fix memory handling in LuaOutputFilter. PR 69590.
[Guillermo Grandes <guillermo.grandes gmail.com>]
* mod_proxy_http2: revert r1912193 for detecting broken backend connections
as this interferes with backend selection who a node is unresponsive.
PR69624.
*) mod_proxy_balancer: Fix a regression that caused stickysession keys no
longer be recognized if they are provided as query parameter in the URL.
PR 69443 [Ruediger Pluem]
*) mod_md: update to version 2.5.2
- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
with EC keys before RSA ones. Fixes #377. [Stefan Eissing]
- Fixed missing newlines in the status page output. [Andreas Groth]
*) mod_dav: Add API to expose DavBasePath setting. [Joe Orton]
*) mod_md: update to version 2.5.1
- Added support for ACME profiles with new directives MDProfile and
MDProfileMandatory.
- When installing a custom CA file via `MDCACertificateFile`, also set the
libcurl option CURLSSLOPT_NO_REVOKE that suppresses complains by Schannel
(when curl is linked with it) about missing CRL/OCSP in certificates.
- Fixed handling of corrupted httpd.json and added test 300_30 for it.
File is removed on error and written again. Fixes #369.
- Added explanation in log for how to proceed when md_store.json could not be
parsed and prevented the server start.
- restored fixed to #336 and #337 which got lost in a sync with Apache svn
- Add Issue Name/Uris to certificate information in md-status handler
- MDomains with static certificate files have MDRenewMode "manual", unless
"always" is configured.
*) core: Report invalid Options= argument when parsing AllowOverride
directives.
Github #310 [Zhou Qingyang <zhou1615 umn.edu>]
*) scoreboard/mod_http2: record durations of HTTP/2 requests.
PR 69579 [Pierre Brochard <pierre.brochard.1982@m4x.org>]
Changes with Apache 2.4.63
*) mod_dav: Update redirect-carefully example BrowserMatch config
to match more recent client versions. PR 66148, 67039.
[Michal Maloszewski <michal.maloszewski canonical.com>,
Romain Tartière <romain blogreen.org>]
*) mod_cache_socache: Fix possible crash on error path. PR 69358.
[Ruediger Pluem]
*) mod_ssl: Fail cleanly at startup if OpenSSL initialization fails.
[StephenWall]
*) mod_md: update to version 2.4.31
- Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
- Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
- Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.
*) mod_proxy_balancer: Fix the handling of the stickysession configuration
parameter by the balancer manager. PR 69510
[Yutaka Tokunou <tokunou.yutaka@fujitsu.com>]
*) Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.
Make sure that when ldap searches are too long, we explicitly log the
error. [Graham Leggett]
*) mod_proxy: Honor parameters of ProxyPassMatch workers with substitution
in the host name or port. PR 69233. [Yann Ylavic]
*) mod_log_config: Fix merging for the "LogFormat" directive.
PR 65222. [Michael Kaufmann <mail michael-kaufmann.ch>]
*) mod_lua: Make r.ap_auth_type writable. PR 62497.
[Michael Osipov <michaelo apache.org>]
*) mod_md: update to version 2.4.29
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
- Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.
*) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE
without "SSLCryptoDevice" configured. [Joe Orton]
*) mod_authnz_ldap: Fix possible memory corruption if the
AuthLDAPSubGroupAttribute directive is configured. [Joe Orton]
*) mod_proxy_fcgi: Don't re-encode SCRIPT_FILENAME when set via SetHandler.
PR 69203. [Yann Ylavic]
*) mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs,
including "unix:" ones. PR 69235, PR 69260. [Yann Ylavic, Ruediger Pluem]
*) mod_rewrite: Error out in case a RewriteRule in directory context uses the
proxy, but mod_proxy is not loaded. PR 56264.
[Christophe Jaillet, Michael Streeter <mstreeter1@gmail.com>]
*) http: Remove support for Request-Range header sent by Navigator 2-3 and
MSIE 3. [Stefan Fritsch]
*) mod_rewrite: Don't require [UNC] flag to preserve a leading //
added by applying the perdir prefix to the substitution.
[Ruediger Pluem, Eric Covener]
*) Windows: Restore the ability to "Include" configuration files on UNC
paths. PR 69313 [Eric Covener]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs
in <Location> (incomplete fix in 2.4.62). PR 69160. [Yann Ylavic]
*) mod_md: update to version 2.4.28
- When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in 'md/staging/<domain>' is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
- Fix certificate retrieval on ACME renewal to not require a 'Location:'
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let's Encrypt still supports this,
but other CAs do not. [icing]
- Restore compatibility with OpenSSL < 1.1. [ylavic]
*) mod_tls: removed the experimental module. It now is availble standalone
from https://github.com/icing/mod_tls. The rustls provided API is not
stable and does not align with the httpd release cycle.
[Stefan Eissing]
*) mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.
PR 69197. [Yann Ylavic, Eric Covener]
*) mod_http2: Return connection monitoring to the event MPM when blocking
on client updates. [Stefan Eissing, Yann Ylavic]
Changes with Apache 2.4.62
*) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
mod_rewrite in server/vhost context on Windows (cve.mitre.org)
SSRF in Apache HTTP Server on Windows with mod_rewrite in
server/vhost context, allows to potentially leak NTML hashes to
a malicious server via SSRF and malicious requests.
Users are recommended to upgrade to version 2.4.62 which fixes
this issue.
Credits: Smi1e (DBAPPSecurity Ltd.)
*) SECURITY: CVE-2024-40725: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
A partial fix for CVE-2024-39884 in the core of Apache HTTP
Server 2.4.61 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.62, which fixes
this issue.
*) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
"balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
with BalancerMember(s). PR 69168. [Yann Ylavic]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs.
PR 69160 [Yann Ylavic]
*) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
[Joe Orton]
*) mod_ssl: Add support for loading certs/keys from pkcs11: URIs
via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>]
*) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0.
[Ruediger Pluem, Yann Ylavic]
*) mpm_worker: Fix possible warning (AH00045) about children processes not
terminating timely. [Yann Ylavic]
Changes with Apache 2.4.61
*) SECURITY: CVE-2024-39884: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
A regression in the core of Apache HTTP Server 2.4.60 ignores
some use of the legacy content-type based configuration of
handlers. "AddType" and similar configuration, under some
circumstances where files are requested indirectly, result in
source code disclosure of local content. For example, PHP
scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.61, which fixes
this issue.
Changes with Apache 2.4.60
*) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
handler substitution (cve.mitre.org)
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and
earlier allows an attacker to cause unsafe RewriteRules to
unexpectedly setup URL's to be handled by mod_proxy.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
Denial of Service in mod_proxy via a malicious request
(cve.mitre.org)
null pointer dereference in mod_proxy in Apache HTTP Server
2.4.59 and earlier allows an attacker to crash the server via a
malicious request.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38476: Apache HTTP Server may use
exploitable/malicious backend application output to run local
handlers via internal redirect (cve.mitre.org)
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
are vulnerably to information disclosure, SSRF or local script
execution via backend applications whose response headers are
malicious or exploitable.
Note: Some legacy uses of the 'AddType' directive to connect a
request to a handler must be ported to 'AddHandler' after this fix.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
mod_rewrite when first segment of substitution matches
filesystem path. (cve.mitre.org)
Improper escaping of output in mod_rewrite in Apache HTTP Server
2.4.59 and earlier allows an attacker to map URLs to filesystem
locations that are permitted to be served by the server but are
not intentionally/directly reachable by any URL, resulting in
code execution or source code disclosure.
Substitutions in server context that use a backreferences or
variables as the first segment of the substitution are affected.
Some unsafe RewiteRules will be broken by this change and the
rewrite flag "UnsafePrefixStat" can be used to opt back in once
ensuring the substitution is appropriately constrained.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with
encoded question marks in backreferences (cve.mitre.org)
Substitution encoding issue in mod_rewrite in Apache HTTP Server
2.4.59 and earlier allows attacker to execute scripts in
directories permitted by the configuration but not directly
reachable by any URL or source disclosure of scripts meant to
only to be executed as CGI.
Note: Some RewriteRules that capture and substitute unsafely will now
fail unless rewrite flag "UnsafeAllow3F" is specified.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
problem (cve.mitre.org)
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and
earlier allows request URLs with incorrect encoding to be sent
to backend services, potentially bypassing authentication via
crafted requests.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF
(cve.mitre.org)
SSRF in Apache HTTP Server on Windows allows to potentially leak
NTML hashes to a malicious server via SSRF and malicious
requests or content
Note: Existing configurations that access UNC paths
will have to configure new directive "UNCList" to allow access
during request processing.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
pointer in websocket over HTTP/2 (cve.mitre.org)
Serving WebSocket protocol upgrades over a HTTP/2 connection
could result in a Null Pointer dereference, leading to a crash
of the server process, degrading performance.
Credits: Marc Stern (<marc.stern AT approach-cyber.com>)
*) mod_proxy: Fix DNS requests and connections closed before the
configured addressTTL. PR 69126. [Yann Ylavic]
*) core: On Linux, log the real thread ID in error logs. [Joe Orton]
*) core: Support zone/scope in IPv6 link-local addresses in Listen and
VirtualHost directives (requires APR 1.7.x or later). PR 59396
[Joe Orton]
*) mod_ssl: Reject client-initiated renegotiation with a TLS alert
(rather than connection closure). [Joe Orton, Yann Ylavic]
*) Updated mime.types. [Mohamed Akram <mohd.akram outlook.com>,
Adam Silverstein <adamsilverstein earthboundhosting.com>]
*) mod_ssl: Fix a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set. PR 68863 [Ruediger Pluem]
*) mod_cgid: Optional support for file descriptor passing, fixing
error log handling (configure --enable-cgid-fdpassing) on Unix
platforms. PR 54221. [Joe Orton]
*) mod_cgid/mod_cgi: Distinguish script stderr output clearly in
error logs. PR 61980. [Hank Ibell <hwibell gmail.com>]
*) mod_tls: update version of rustls-ffi to v0.13.0.
[Daniel McCarney (@cpu}]
*) mod_md:
- Using OCSP stapling information to trigger certificate renewals. Proposed
by @frasertweedale.
- Added directive `MDCheckInterval` to control how often the server checks
for detected revocations. Added proposals for configurations in the
README.md chapter "Revocations".
- OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
allowed in RFC 6960. Treat those as having an update interval of 12 hours.
Added by @frasertweedale.
- Adapt OpenSSL usage to changes in their API. By Yann Ylavic.
Changes with Apache 2.4.59
*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
memory exhaustion on endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)
*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
Splitting in multiple modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP
Server allows an attacker that can inject malicious response
headers into backend applications to cause an HTTP
desynchronization attack.
After this change, CGI-like scripts cannot set Transfer-Encoding
or Content-Length headers. To restore the ability to set Content-Length
header, set per-request environment variable 'ap_trust_cgilike_cl' to any
non-empty value.
Credits: Keran Mu, Tsinghua University and Zhongguancun
Laboratory.
*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
Faulty input validation in the core of Apache allows malicious
or exploitable backend/content generators to split HTTP
responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) mod_deflate: Fixes and better logging for handling various
error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
Eric Norris <enorris etsy.com>]
*) Add CGIScriptTimeout to mod_cgi. [Eric Covener]
*) mod_xml2enc: Tolerate libxml2 2.12.0 and later. PR 68610
[ttachi <tachihara AT hotmail.com>]
*) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
[Jean-Frederic Clere]
*) mod_ssl: Use OpenSSL-standard functions to assemble CA
name lists for SSLCACertificatePath/SSLCADNRequestPath.
Names will now be consistently sorted. PR 61574.
[Joe Orton]
*) mod_xml2enc: Update check to accept any text/ media type
or any XML media type per RFC 7303, avoiding
corruption of Microsoft OOXML formats. PR 64339.
[Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
<https://github.com/icing/mod_h2/issues/272>.
- Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
*) htcacheclean: In -a/-A mode, list all files per subdirectory
rather than only one. PR 65091.
[Artem Egorenkov <aegorenkov.91 gmail.com>]
*) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
which include CA certificates; those CA certs are treated as if
configured with SSLProxyMachineCertificateChainFile. [Joe Orton]
*) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
"hashing", rather than "encrypting" passwords.
[Michele Preziuso <mpreziuso kaosdynamics.com>]
*) mod_ssl: Fix build with LibreSSL 2.0.7+. PR 64047.
[Giovanni Bechis, Yann Ylavic]
*) htpasswd: Add support for passwords using SHA-2. [Joe Orton,
Yann Ylavic]
*) core: Allow mod_env to override system environment vars. PR 63117.
[Joe Orton]
*) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
operation which removes a directory/file between apr_dir_read() and
apr_stat(). Current behaviour is to abort the connection which seems
inferior to tolerating (and logging) the error. [Joe Orton]
*) mod_ldap: HTML-escape data in the ldap-status handler.
[Eric Covener, Chamal De Silva]
*) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
notably with OpenSSL >= 3. PR 68080. [Yann Ylavic, Joe Orton]
*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
[Yann Ylavic]
*) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
*) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
some dollar substitution (backreference) happens in the hostname or port
part of the URL. [Yann Ylavic]
*) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
systems are cached. [Yann Ylavic]
*) mod_proxy: Add optional third argument for ProxyRemote, which
configures Basic authentication credentials to pass to the remote
proxy. PR 37355. [Joe Orton]
[/QUOTE]