publishing release httpd-2.4.56
diff --git a/content/doap.rdf b/content/doap.rdf
index 287c18c..15ee6ca 100644
--- a/content/doap.rdf
+++ b/content/doap.rdf
@@ -38,8 +38,8 @@
<release>
<Version>
<name>Recommended current 2.4 release</name>
- <created>2023-01-17</created>
- <revision>2.4.55</revision>
+ <created>2023-03-07</created>
+ <revision>2.4.56</revision>
</Version>
</release>
diff --git a/content/download.md b/content/download.md
index 96a9657..4dd4e4c 100644
--- a/content/download.md
+++ b/content/download.md
@@ -19,16 +19,16 @@
Stable Release - Latest Version:
-- [2.4.55](#apache24) (released 2023-01-17)
+- [2.4.56](#apache24) (released 2023-03-07)
If you are downloading the Win32 distribution, please read these [important
notes]([preferred]httpd/binaries/win32/README.html).
-# Apache HTTP Server 2.4.55 (httpd): 2.4.55 is the latest available version <span>2023-01-17</span> {#apache24}
+# Apache HTTP Server 2.4.56 (httpd): 2.4.56 is the latest available version <span>2023-03-07</span> {#apache24}
The Apache HTTP Server Project is pleased to
[announce](//downloads.apache.org/httpd/Announcement2.4.txt) the
-release of version 2.4.55 of the Apache HTTP Server ("Apache" and "httpd").
+release of version 2.4.56 of the Apache HTTP Server ("Apache" and "httpd").
This version of Apache is our latest GA release of the new generation 2.4.x
branch of Apache HTTPD and represents fifteen years of innovation by the
project, and is recommended over all previous releases!
@@ -36,17 +36,17 @@
For details, see the [Official
Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and
the [CHANGES_2.4]([preferred]httpd/CHANGES_2.4) and
-[CHANGES_2.4.55]([preferred]httpd/CHANGES_2.4.55) lists.
+[CHANGES_2.4.56]([preferred]httpd/CHANGES_2.4.56) lists.
-- Source: [httpd-2.4.55.tar.bz2]([preferred]httpd/httpd-2.4.55.tar.bz2)
-[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.55.tar.bz2.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.55.tar.bz2.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.55.tar.bz2.sha512) ]
+- Source: [httpd-2.4.56.tar.bz2]([preferred]httpd/httpd-2.4.56.tar.bz2)
+[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.56.tar.bz2.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.56.tar.bz2.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.56.tar.bz2.sha512) ]
-- Source: [httpd-2.4.55.tar.gz]([preferred]httpd/httpd-2.4.55.tar.gz) [
-[PGP](https://downloads.apache.org/httpd/httpd-2.4.55.tar.gz.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.55.tar.gz.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.55.tar.gz.sha512) ]
+- Source: [httpd-2.4.56.tar.gz]([preferred]httpd/httpd-2.4.56.tar.gz) [
+[PGP](https://downloads.apache.org/httpd/httpd-2.4.56.tar.gz.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.56.tar.gz.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.56.tar.gz.sha512) ]
- [Binaries]([preferred]httpd/binaries/)
diff --git a/content/index.md b/content/index.md
index 187ff18..2b611b7 100644
--- a/content/index.md
+++ b/content/index.md
@@ -14,11 +14,11 @@
The Apache HTTP Server is a project of [The Apache Software
Foundation](http://www.apache.org/).
-# Apache httpd 2.4.55 Released <span>2023-01-17</span>
+# Apache httpd 2.4.56 Released <span>2023-03-07</span>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to
[announce](http://downloads.apache.org/httpd/Announcement2.4.html) the
-release of version 2.4.55 of the Apache HTTP Server ("httpd").
+release of version 2.4.56 of the Apache HTTP Server ("httpd").
This latest release from the 2.4.x stable branch represents the best available
version of Apache HTTP Server.
@@ -27,7 +27,7 @@
Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.
[Download](download.cgi#apache24) | [ChangeLog for
-2.4.55](http://downloads.apache.org/httpd/CHANGES_2.4.55) | [Complete ChangeLog for
+2.4.56](http://downloads.apache.org/httpd/CHANGES_2.4.56) | [Complete ChangeLog for
2.4](http://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in httpd
2.4](docs/trunk/new_features_2_4.html) {.centered}
diff --git a/content/security/json/CVE-2023-25690.json b/content/security/json/CVE-2023-25690.json
new file mode 100644
index 0000000..fe3035f
--- /dev/null
+++ b/content/security/json/CVE-2023-25690.json
@@ -0,0 +1,103 @@
+{
+ "cveMetadata": {
+ "cveId": "CVE-2023-25690",
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "CNA_private": {
+ "emailed": null,
+ "projecturl": "https://httpd.apache.org/",
+ "owner": "httpd",
+ "userslist": "users@httpd.apache.org",
+ "state": "REVIEW",
+ "todo": [],
+ "type": "unsure"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "title": "HTTP request splitting with mod_rewrite and mod_proxy",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')",
+ "lang": "en",
+ "cweId": "CWE-444",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "affected": [
+ {
+ "vendor": "Apache Software Foundation",
+ "product": "Apache HTTP Server",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "2.4.0",
+ "lessThanOrEqual": "2.4.55",
+ "versionType": "semver"
+ }
+ ],
+ "defaultStatus": "unknown"
+ }
+ ],
+ "descriptions": [
+ {
+ "value": "Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.\n\n\n\n\nConfigurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like:\n\n\n\n\nRewriteEngine on\nRewriteRule \"^/here/(.*)\" \" http://example.com:8080/elsewhere?$1\" http://example.com:8080/elsewhere ; [P]\nProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/ \n\n\nRequest splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.\n\n\n\n",
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "<div>Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.</div><div><br></div><div><div>Configurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like:</div><div><br></div><div>RewriteEngine on<br>RewriteRule \"^/here/(.*)\" \"<a target=\"_blank\" rel=\"nofollow\" href=\"http://example.com:8080/elsewhere?$1"\">http://example.com:8080/elsewhere?$1\"</a>; [P]<br>ProxyPassReverse /here/ <a target=\"_blank\" rel=\"nofollow\" href=\"http://example.com:8080/\">http://example.com:8080/</a></div><br>Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.<br><br></div>"
+ }
+ ]
+ }
+ ],
+ "references": [],
+ "metrics": [
+ {
+ "other": {
+ "type": "Textual description of severity",
+ "content": {
+ "text": "important"
+ }
+ }
+ }
+ ],
+ "timeline": [
+ {
+ "time": "2023-02-02T06:01:00.000Z",
+ "lang": "en",
+ "value": "reported"
+ },
+ {
+ "lang": "eng",
+ "time": "2023-03-07",
+ "value": "2.4.56 released"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Lars Krapf of Adobe",
+ "type": "finder"
+ }
+ ],
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
diff --git a/content/security/json/CVE-2023-27522.json b/content/security/json/CVE-2023-27522.json
new file mode 100644
index 0000000..21a58fa
--- /dev/null
+++ b/content/security/json/CVE-2023-27522.json
@@ -0,0 +1,101 @@
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [
+ {
+ "lessThanOrEqual": "2.4.55",
+ "status": "affected",
+ "version": "2.4.30",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Dimas Fariski Setyawan Putra (nyxsorcerer)"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "<div>HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_<code>proxy_uwsgi</code>. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.</div><div>Special characters in the origin response header can truncate/split the response forwarded to the client.<br></div>"
+ }
+ ],
+ "value": "HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.\n\nSpecial characters in the origin response header can truncate/split the response forwarded to the client.\n\n\n"
+ }
+ ],
+ "metrics": [
+ {
+ "other": {
+ "content": {
+ "text": "moderate"
+ },
+ "type": "Textual description of severity"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-444",
+ "description": "CWE-444 Inconsistent Interpretation of HTTP Responses ('HTTP Response Smuggling')",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "references": [
+ {
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
+ }
+ ],
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "en",
+ "time": "2023-01-29T10:42:00.000Z",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2023-03-07",
+ "value": "2.4.56 released"
+ }
+ ],
+ "title": "Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2023-27522",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
