You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Stefan Fritsch <sf...@sfritsch.de> on 2019/08/17 14:41:42 UTC

CVE-2019-10097 vs. CHANGEs entry

Hi,

Shouldn't CVE-2019-10097 be listed under 2.4.41, too?

Cheers,
Stefan

--- httpd/httpd/branches/2.4.x/CHANGES	2019/08/14 20:43:00	1865188
+++ httpd/httpd/branches/2.4.x/CHANGES	2019/08/14 20:52:45	1865189
@@ -1,8 +1,39 @@
                                                          -*- coding:
utf-8 -*-
 Changes with Apache 2.4.42

+  *) SECURITY: CVE-2019-10097 (cve.mitre.org)
+     mod_remoteip: Fix stack buffer overflow and NULL pointer deference
+     when reading the PROXY protocol header.  [Joe Orton,
+     Daniel McCarney <cpu letsencrypt.org>]
+
 Changes with Apache 2.4.41

+  *) SECURITY: CVE-2019-9517 (cve.mitre.org)
+     mod_http2: a malicious client could perform a DoS attack by flooding
+        a connection with requests and basically never reading responses
+        on the TCP connection. Depending on h2 worker dimensioning, it was
+        possible to block those with relatively few connections.
[Stefan Eissing]
+

Re: CVE-2019-10097 vs. CHANGEs entry

Posted by Daniel Ruggeri <dr...@apache.org>.

Ah, yes... Not sure how I made that error. Just fixed!
-- 
Daniel Ruggeri

On August 17, 2019 9:41:42 AM CDT, Stefan Fritsch <sf...@sfritsch.de> wrote:
>Hi,
>
>Shouldn't CVE-2019-10097 be listed under 2.4.41, too?
>
>Cheers,
>Stefan
>
>--- httpd/httpd/branches/2.4.x/CHANGES	2019/08/14 20:43:00	1865188
>+++ httpd/httpd/branches/2.4.x/CHANGES	2019/08/14 20:52:45	1865189
>@@ -1,8 +1,39 @@
>                                                          -*- coding:
>utf-8 -*-
> Changes with Apache 2.4.42
>
>+  *) SECURITY: CVE-2019-10097 (cve.mitre.org)
>+     mod_remoteip: Fix stack buffer overflow and NULL pointer
>deference
>+     when reading the PROXY protocol header.  [Joe Orton,
>+     Daniel McCarney <cpu letsencrypt.org>]
>+
> Changes with Apache 2.4.41
>
>+  *) SECURITY: CVE-2019-9517 (cve.mitre.org)
>+     mod_http2: a malicious client could perform a DoS attack by
>flooding
>+        a connection with requests and basically never reading
>responses
>+        on the TCP connection. Depending on h2 worker dimensioning, it
>was
>+        possible to block those with relatively few connections.
>[Stefan Eissing]
>+