Security release articles should all have the same styling for the best customer experience.
Let's use this format for all future articles.
I'll try to figure out a good way of making this simple but for now, here's the code.
<h2 class="text-danger text-center">
<i class="fa fa-shield-alt fa-lg"></i>
<b>Security release!</b>
<i class="fa fa-shield-alt fa-lg padding-horiz-30"></i>
</h2>
<div class="accordion accordion-flush" id="accordionFlushExample">
<div class="accordion-item">
<h2 class="accordion-header" id="flush-headingOne">
<button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#flush-collapseOne" aria-expanded="false" aria-controls="flush-collapseOne"> Vulnerability List </button>
</h2>
<div id="flush-collapseOne" class="accordion-collapse collapse" aria-labelledby="flush-headingOne" data-bs-parent="#accordionFlushExample">
<div class="apcontents">
<!-- PLACE ARTICLE CONTENT FOR VULNERABILITY HERE -->
<h1 id="2.4.58">Fixed in Apache HTTP Server 2.4.58</h1>
<dl>
<dt>
<h3 id="CVE-2023-31122">low: <name name="CVE-2023-31122">mod_macro buffer over-read</name> ( <a href="https://www.cve.org/CVERecord?id=CVE-2023-31122">CVE-2023-31122</a>) </h3>
</dt>
<dd>
<p>Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.</p>
<p></p>
<p></p>
<p>Acknowledgements: finder: David Shoon (github/davidshoon)</p>
<table class="table">
<tbody>
<tr>
<td class="cve-header">Update 2.4.58 released</td>
<td class="cve-value">2023-10-19</td>
</tr>
<tr>
<td class="cve-header">Affects</td>
<td class="cve-value"><=2.4.57</td>
</tr>
</tbody>
</table>
</dd>
<dt>
<h3 id="CVE-2023-43622">low: <name name="CVE-2023-43622">Apache HTTP Server: DoS in HTTP/2 with initial windows size 0</name> ( <a href="https://www.cve.org/CVERecord?id=CVE-2023-43622">CVE-2023-43622</a>) </h3>
</dt>
<dd>
<p>An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern.</p>
<p>This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.</p>
<p></p>
<p>This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.</p>
<p></p>
<p>Users are recommended to upgrade to version 2.4.58, which fixes the issue.</p>
<p></p>
<p></p>
<p>Acknowledgements:</p>
<ul>
<li>finder: Prof. Sven Dietrich (City University of New York)</li>
<li>finder: Isa Jafarov (City University of New York)</li>
<li>finder: Prof. Heejo Lee (Korea University)</li>
<li>finder: Choongin Lee (Korea University)</li>
</ul>
<table class="table">
<tbody>
<tr>
<td class="cve-header">Reported to security team</td>
<td class="cve-value">2023-09-15</td>
</tr>
<tr>
<td class="cve-header">Update 2.4.58 released</td>
<td class="cve-value">2023-10-19</td>
</tr>
<tr>
<td class="cve-header">Affects</td>
<td class="cve-value"><=2.4.57</td>
</tr>
</tbody>
</table>
</dd>
<dt>
<h3 id="CVE-2023-45802">moderate: <name name="CVE-2023-45802">Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST</name> ( <a href="https://www.cve.org/CVERecord?id=CVE-2023-45802">CVE-2023-45802</a>) </h3>
</dt>
<dd>
<p>When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.</p>
<p></p>
<p>This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.</p>
<p></p>
<p>Users are recommended to upgrade to version 2.4.58, which fixes the issue.</p>
<p></p>
<p>Acknowledgements:</p>
<ul>
<li>finder: Will Dormann of Vul Labs</li>
<li>finder: David Warren of Vul Labs</li>
</ul>
<table class="table">
<tbody>
<tr>
<td class="cve-header">Reported to security team</td>
<td class="cve-value">2023-10-12</td>
</tr>
<tr>
<td class="cve-header">Update 2.4.58 released</td>
<td class="cve-value">2023-10-19</td>
</tr>
<tr>
<td class="cve-header">Affects</td>
<td class="cve-value"><=2.4.57</td>
</tr>
</tbody>
</table>
</dd>
</dl>
</div>
</div>
</div>
<!-- END VULNERABILITY LIST -->
<div class="accordion-item">
<h2 class="accordion-header" id="flush-headingTwo">
<button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#flush-collapseTwo" aria-expanded="false" aria-controls="flush-collapseTwo"> Change Log</button>
</h2>
<div id="flush-collapseTwo" class="accordion-collapse collapse" aria-labelledby="flush-headingTwo" data-bs-parent="#accordionFlushExample">
<div class="accordion-body">
<!-- PLACE CHANGELOG ARTICLES HERE -->
<table width="100%" border="0" cellspacing="0" cellpadding="0" style="width: 99.981%;">
<tbody>
<tr>
<td width="100%" style="width: 100.019%;">
<a href="viewtopic.php?p=42275#42275"></a>
<span class="postdetails">Posted: Thu 19 Oct '23 12:50 <br /> Post subject: Apache httpd 2.4.58 GA Available :: updated </span>
</td>
</tr>
<tr>
<td style="width: 100.019%;">
<hr />
</td>
</tr>
<tr>
<td style="width: 100.019%;">
<span class="postbody">Apache httpd 2.4.58 is released as GA. <br />
<br />
<span style="color: green;">
<span style="font-weight: bold;">31 January 2024 Update, see below</span>
</span>
<br />
<br />ASF and Apachelounge changes : <span style="font-weight: bold;">
<a href="https://www.apachelounge.com/Changelog-2.4.html" target="_blank" rel="noopener">https://www.apachelounge.com/Changelog-2.4.html</a>
</span>
<br />
<br />
<span style="font-weight: bold;">
<span style="color: blue;">Important</span>
</span> security vulnerabilities are fixed in 2.4.58, see <span style="font-weight: bold;">
<a href="https://httpd.apache.org/security/vulnerabilities_24.html" target="_blank" rel="noopener">https://httpd.apache.org/security/vulnerabilities_24.html</a>
</span>. <br />
<br />
<span style="font-weight: bold;">VS17 Win32</span>
<br />The Win32 version is available again, see also discussion <span style="font-weight: bold;">
<a href="https://www.apachelounge.com/viewtopic.php?p=42099" target="_blank" rel="noopener">https://www.apachelounge.com/viewtopic.php?p=42099</a>
</span>
<br />Only build the with the standard Apache modules. <br />For non-standard modules (like mod_fcgid) use the VS16 Win32 ones at <span style="font-weight: bold;">
<a href="https://www.apachelounge.com/download/VS16/" target="_blank" rel="noopener">https://www.apachelounge.com/download/VS16/</a>
</span>
<br />
<br />Documentation: <span style="font-weight: bold;">
<a href="http://httpd.apache.org/docs/2.4/" target="_blank" rel="noopener">http://httpd.apache.org/docs/2.4/</a>
</span>
<br />
<br />Build with dependencies: <br />
<br />- openssl 3.1.5 <br />- nghttp2 1.59.0 <br />- jansson 2.14 <br />- curl 8.5.0 <br />- apr 1.7.3 <br />- apr-util 1.6.3 <br />- apr-iconv 1.2.2 <br />- zlib 1.3.1 <br />- brotli 1.1.0 <br />- pcre2 10.42 <br />- libxml2 2.12.4 <br />- lua 5.4.6 <br />- expat 2.5.0 <br />
<br />
<span style="font-weight: bold;">Notes VS17 OpenSSL 3.x.x:</span>
<br />
<br />- <span style="font-weight: bold;">Only PHP 8.2 and 8.1</span> (build with 3.x.x) is running as module. <br />
<span style="font-weight: bold;">
<span style="color: green;">Running with mod_fcgid no issues seen</span>
</span>. <br />
<br />For running as module, See also the post from <span style="font-weight: bold;">user Otomatic and notes </span> at <span style="font-weight: bold;">
<a href="https://www.apachelounge.com/viewtopic.php?t=8969" target="_blank" rel="noopener">https://www.apachelounge.com/viewtopic.php?t=8969</a>
<br />
</span> and <span style="font-weight: bold;">
<a href="https://www.apachelounge.com/viewtopic.php?t=8938" target="_blank" rel="noopener">https://www.apachelounge.com/viewtopic.php?t=8938</a>
<br />
</span>
<br />- With too weak certificates/ciphers Apache does not start, see <span style="font-weight: bold;">
<a href="https://www.apachelounge.com/viewtopic.php?t=8819" target="_blank" rel="noopener">https://www.apachelounge.com/viewtopic.php?t=8819</a>
</span>
<br />
<br />
<br />Enjoy, <br />
<br />Steffen </span>
<span class="gensmall"></span>
</td>
</tr>
</tbody>
</table>
<!-- END CHANGELOG -->
</div>
</div>
</div>
<div class="accordion-item">
<h2 class="accordion-header" id="flush-headingThree">
<button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#flush-collapseThree" aria-expanded="false" aria-controls="flush-collapseThree"> Release Files</button>
</h2>
<div id="flush-collapseThree" class="accordion-collapse collapse" aria-labelledby="flush-headingThree" data-bs-parent="#accordionFlushExample">
<div class="accordion-body">
<!-- RELEASE FILES LINK(S) HERE -->
<a href="https://github.com/Bearsampp/module-apache/releases/tag/2024.3.31"> https://github.com/Bearsampp/module-apache/releases/tag/2024.3.31 </a>
<!-- END RELEASE FILES LINK(S) -->
</div>
</div>
</div>
</div>
Joomla likes to mess with article layout internally so I'll break it down for you.
<!-- PLACE ARTICLE CONTENT FOR VULNERABILITY HERE -->
<h1 id="2.4.58">Fixed in Apache HTTP Server 2.4.58</h1>
<dl>
<dt>
<h3 id="CVE-2023-31122">low: <name name="CVE-2023-31122">mod_macro buffer over-read</name> ( <a href="https://www.cve.org/CVERecord?id=CVE-2023-31122">CVE-2023-31122</a>) </h3>
</dt>
<dd>
<p>Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.</p>
<p></p>
<p></p>
<p>Acknowledgements: finder: David Shoon (github/davidshoon)</p>
<table class="table">
<tbody>
<tr>
<td class="cve-header">Update 2.4.58 released</td>
<td class="cve-value">2023-10-19</td>
</tr>
<tr>
<td class="cve-header">Affects</td>
<td class="cve-value"><=2.4.57</td>
</tr>
</tbody>
</table>
</dd>
<dt>
<h3 id="CVE-2023-43622">low: <name name="CVE-2023-43622">Apache HTTP Server: DoS in HTTP/2 with initial windows size 0</name> ( <a href="https://www.cve.org/CVERecord?id=CVE-2023-43622">CVE-2023-43622</a>) </h3>
</dt>
<dd>
<p>An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern.</p>
<p>This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.</p>
<p></p>
<p>This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.</p>
<p></p>
<p>Users are recommended to upgrade to version 2.4.58, which fixes the issue.</p>
<p></p>
<p></p>
<p>Acknowledgements:</p>
<ul>
<li>finder: Prof. Sven Dietrich (City University of New York)</li>
<li>finder: Isa Jafarov (City University of New York)</li>
<li>finder: Prof. Heejo Lee (Korea University)</li>
<li>finder: Choongin Lee (Korea University)</li>
</ul>
<table class="table">
<tbody>
<tr>
<td class="cve-header">Reported to security team</td>
<td class="cve-value">2023-09-15</td>
</tr>
<tr>
<td class="cve-header">Update 2.4.58 released</td>
<td class="cve-value">2023-10-19</td>
</tr>
<tr>
<td class="cve-header">Affects</td>
<td class="cve-value"><=2.4.57</td>
</tr>
</tbody>
</table>
</dd>
<dt>
<h3 id="CVE-2023-45802">moderate: <name name="CVE-2023-45802">Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST</name> ( <a href="https://www.cve.org/CVERecord?id=CVE-2023-45802">CVE-2023-45802</a>) </h3>
</dt>
<dd>
<p>When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.</p>
<p></p>
<p>This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.</p>
<p></p>
<p>Users are recommended to upgrade to version 2.4.58, which fixes the issue.</p>
<p></p>
<p>Acknowledgements:</p>
<ul>
<li>finder: Will Dormann of Vul Labs</li>
<li>finder: David Warren of Vul Labs</li>
</ul>
<table class="table">
<tbody>
<tr>
<td class="cve-header">Reported to security team</td>
<td class="cve-value">2023-10-12</td>
</tr>
<tr>
<td class="cve-header">Update 2.4.58 released</td>
<td class="cve-value">2023-10-19</td>
</tr>
<tr>
<td class="cve-header">Affects</td>
<td class="cve-value"><=2.4.57</td>
</tr>
</tbody>
</table>
</dd>
</dl>
</div>
</div>
</div>
<!-- END VULNERABILITY LIST -->
N6REJ
commented
5 months ago
Security release articles should all have the same styling for the best customer experience. Let's use this format for all future articles. I'll try to figure out a good way of making this simple but for now, here's the code.
Joomla likes to mess with article layout internally so I'll break it down for you.
Next replace this with your article text.
Next place this code.
Now replace this with the detailed changelog
Next Place this code
Replace this code with your release link(s)
Finally place this into the end of the created article
Thats all there is too it! Seems complicated but it really isn't.
Lets take apache for an example. if you inspect the code at the beginning of what we want like this...
We can see that we just need that one line. SO, click the 3 little dots on the left OR right click on that line and choose "Copy element"
If we now look at the next item down we can see that it has all the content we want. Again, use the 3 dots or right click...
Change logs are a little bit different. This is NOT what we want! It won't style properly and just looks a mess
Instead, again using apachelounge as our example We want to start here...
And find the release we're talking about....
Once we click on that we'll see something that looks like this...
This one is a little bit trickier but the same procedure applys. Once you've found the area you want, simply use your 3 dots again...
Once you get the hang of how to find the content you want you'll be able to create the release article in about 15 minutes.