[ANNOUNCEMENT] Apache HTTP Server 2.4.48 Released

Apache HTTP Server 2.4.48 Released June 01, 2021 The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.48 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new

CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections

CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections Severity: moderate Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.6 to 2.4.46 Description: Apache HTTP Server 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded

CVE-2020-13938: Improper Handling of Insufficient Privileges

CVE-2020-13938: Improper Handling of Insufficient Privileges Severity: moderate Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.0 to 2.4.47 Description: Apache HTTP Server 2.4.0 to 2.4.47 Unprivileged local users can stop httpd on Windows Mitigation: n/a Credit: Disc

CVE-2020-13950: mod_proxy_http NULL pointer dereference

CVE-2020-13950: mod_proxy_http NULL pointer dereference Severity: low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.41 to 2.4.46 Description: Apache HTTP Server 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted reques

CVE-2020-35452: mod_auth_digest possible stack overflow by one nul byte

CVE-2020-35452: mod_auth_digest possible stack overflow by one nul byte Severity: low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.0 to 2.4.46 Description: Apache HTTP Server 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest.

CVE-2021-26690: mod_session NULL pointer dereference

CVE-2021-26690: mod_session NULL pointer dereference Severity: low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.0 to 2.4.46 Description: Apache HTTP Server 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and

CVE-2021-30641: Unexpected URL matching with 'MergeSlashes OFF'

CVE-2021-30641: Unexpected URL matching with 'MergeSlashes OFF' Severity: moderate Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.39 to 2.4.46 Description: Apache HTTP Server 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF' Mitigation: n/a Credi

CVE-2021-26691: mod_session response handling heap overflow

Mitigation: None Credit: Discovered internally by Christophe Jaillet References: https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request

CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request Severity: important Vendor: The Apache Software Foundation Versions Affected: 2.4.47 httpd Description: Apache HTTP Server 2.4.47 Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request h