You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2019/04/02 13:49:30 UTC

svn commit: r33405 - /release/httpd/CHANGES_2.4.39

Author: druggeri
Date: Tue Apr  2 13:49:30 2019
New Revision: 33405

Log:
Update 2.4.39 CHANGES file

Modified:
    release/httpd/CHANGES_2.4.39

Modified: release/httpd/CHANGES_2.4.39
==============================================================================
--- release/httpd/CHANGES_2.4.39 (original)
+++ release/httpd/CHANGES_2.4.39 Tue Apr  2 13:49:30 2019
@@ -1,13 +1,50 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.39
+  *) SECURITY: CVE-2019-0197 (cve.mitre.org)
+     mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
+     host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
+     request from http/1.1 to http/2 that was not the first request on a
+     connection could lead to a misconfiguration and crash. Servers that
+     never enabled the h2 protocol or only enabled it for https: and
+     did not set "H2Upgrade on" are unaffected by this issue.
+     [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-0196 (cve.mitre.org)
+     mod_http2: using fuzzed network input, the http/2 request
+     handling could be made to access freed memory in string
+     comparision when determining the method of a request and
+     thus process the request incorrectly. [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-0211 (cve.mitre.org)
+     MPMs unix: Fix a local priviledge escalation vulnerability by not
+     maintaining each child's listener bucket number in the scoreboard,
+     preventing unprivileged code like scripts run by/on the server (e.g. via
+     mod_php) from modifying it persistently to abuse the priviledged main
+     process.  [Charles Fol <folcharles gmail.com>, Yann Ylavic]
+
+  *) SECURITY: CVE-2019-0196 (cve.mitre.org)
+     mod_http2: using fuzzed network input, the http/2 request
+     handling could be made to access freed memory in string
+     comparision when determining the method of a request and
+     thus process the request incorrectly. [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-0217 (cve.mitre.org)
+     mod_auth_digest: Fix a race condition checking user credentials which
+     could allow a user with valid credentials to impersonate another,
+     under a threaded MPM.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]
+
+  *) SECURITY: CVE-2019-0215 (cve.mitre.org)
+     mod_ssl: Fix access control bypass for per-location/per-dir client
+     certificate verification in TLSv1.3.
+
+  *) SECURITY: CVE-2019-0220 (cve.mitre.org)
+     Merge consecutive slashes in URL's. Opt-out with
+     `MergeSlashes OFF`. [Eric Covener]
 
   *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
      connection is recycled/reused to avoid a possible crash with some SSLProxy
      configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
 
-  *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
-     [Michael Kaufmann <mail michael-kaufmann.ch>]
-
   *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
      PR 55348
 
@@ -59,13 +96,6 @@ Changes with Apache 2.4.39
   *) mod_cache_socache: Avoid reallocations and be safe with outgoing data
      lifetime. [Yann Ylavic]
 
-  *) MPMs unix: bind the bucket number of each child to its slot number, for a
-     more efficient per bucket maintenance. [Yann Ylavic]
-
-  *) mod_auth_digest: Fix a race condition. Authentication with valid
-     credentials could be refused in case of concurrent accesses from
-     different users.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]
-
   *) mod_http2: enable re-use of slave connections again. Fixed slave connection
      keepalives counter. [Stefan Eissing]