You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2019/01/22 17:13:10 UTC

svn commit: r1851837 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS

Author: druggeri
Date: Tue Jan 22 17:13:10 2019
New Revision: 1851837

URL: http://svn.apache.org/viewvc?rev=1851837&view=rev
Log:
Updates for announcement of 2.4.38

Modified:
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/STATUS

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1851837&r1=1851836&r2=1851837&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Jan 22 17:13:10 2019
@@ -3,6 +3,21 @@ Changes with Apache 2.4.39
 
 Changes with Apache 2.4.38
 
+  *) SECURITY: CVE-2018-17199 (cve.mitre.org)
+     mod_session: mod_session_cookie does not respect expiry time allowing
+     sessions to be reused.  [Hank Ibell]
+
+  *) SECURITY: CVE-2018-17189 (cve.mitre.org)
+     mod_http2: fixes a DoS attack vector. By sending slow request bodies
+     to resources not consuming them, httpd cleanup code occupies a server
+     thread unnecessarily. This was changed to an immediate stream reset
+     which discards all stream state and incoming data.  [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-0190 (cve.mitre.org)
+     mod_ssl: Fix infinite loop triggered by a client-initiated
+     renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
+     later.  PR 63052.  [Joe Orton]
+
   *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
      PR 63052 [Joe Orton]
 

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1851837&r1=1851836&r2=1851837&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Tue Jan 22 17:13:10 2019
@@ -30,7 +30,7 @@ Release history:
           while x.{even}.z versions are Stable/GA releases.]
 
     2.4.39  : In development
-    2.4.38  : Tagged on January 17, 2019
+    2.4.38  : Tagged on January 17, 2019. Released on January 22, 2019.
     2.4.37  : Tagged on October 18, 2018. Released on October 23, 2018.
     2.4.36  : Tagged on October 10, 2018. Not released.
     2.4.35  : Tagged on September 17, 2018. Released on September 22, 2018.