You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2019/08/14 20:52:42 UTC
svn commit: r35252 - in /release/httpd: Announcement2.4.html
Announcement2.4.txt CHANGES_2.4 CHANGES_2.4.41 CURRENT-IS-2.4.39
CURRENT-IS-2.4.41
Author: druggeri
Date: Wed Aug 14 20:52:41 2019
New Revision: 35252
Log:
Updates for announcement of 2.4.41
Added:
release/httpd/CURRENT-IS-2.4.41
Removed:
release/httpd/CURRENT-IS-2.4.39
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
release/httpd/CHANGES_2.4
release/httpd/CHANGES_2.4.41
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Wed Aug 14 20:52:41 2019
@@ -52,7 +52,7 @@
Apache HTTP Server 2.4.41 Released
</h1>
<p>
- September 21, 2018
+ August 14, 2019
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
@@ -62,7 +62,7 @@
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a feature and bug fix release.
+ a security and bug fix release.
</p>
<p>
We consider this release to be the best version of Apache available, and
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Wed Aug 14 20:52:41 2019
@@ -1,6 +1,6 @@
Apache HTTP Server 2.4.41 Released
- September 21, 2018
+ August 14, 2019
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.41 of the Apache
@@ -8,7 +8,7 @@
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a feature and bug fix release.
+ a security and bug fix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Wed Aug 14 20:52:41 2019
@@ -1,6 +1,37 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.41
+ *) SECURITY: CVE-2019-10081 (cve.mitre.org)
+ mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
+ could lead to an overwrite of memory in the pushing request's pool,
+ leading to crashes. The memory copied is that of the configured push
+ link header values, not data supplied by the client. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-9517 (cve.mitre.org)
+ mod_http2: a malicious client could perform a DoS attack by flooding
+ a connection with requests and basically never reading responses
+ on the TCP connection. Depending on h2 worker dimensioning, it was
+ possible to block those with relatively few connections. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-10098 (cve.mitre.org)
+ rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
+ matches and substitutions with encoded line break characters.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2019-10092 (cve.mitre.org)
+ Remove HTML-escaped URLs from canned error responses to prevent misleading
+ text/links being displayed via crafted links. [Eric Covener]
+
+ *) SECURITY: CVE-2019-10097 (cve.mitre.org)
+ mod_remoteip: Fix stack buffer overflow and NULL pointer deference
+ when reading the PROXY protocol header. [Joe Orton,
+ Daniel McCarney <cpu letsencrypt.org>]
+
+ *) SECURITY: CVE-2019-10082 (cve.mitre.org)
+ mod_http2: Using fuzzed network input, the http/2 session
+ handling could be made to read memory after being freed,
+ during connection shutdown. [Stefan Eissing]
+
*) mod_proxy_balancer: Improve balancer-manager protection against
XSS/XSRF attacks from trusted users. [Joe Orton,
Niels Heinen <heinenn google.com>]
Modified: release/httpd/CHANGES_2.4.41
==============================================================================
--- release/httpd/CHANGES_2.4.41 (original)
+++ release/httpd/CHANGES_2.4.41 Wed Aug 14 20:52:41 2019
@@ -1,6 +1,37 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.41
+ *) SECURITY: CVE-2019-10081 (cve.mitre.org)
+ mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
+ could lead to an overwrite of memory in the pushing request's pool,
+ leading to crashes. The memory copied is that of the configured push
+ link header values, not data supplied by the client. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-9517 (cve.mitre.org)
+ mod_http2: a malicious client could perform a DoS attack by flooding
+ a connection with requests and basically never reading responses
+ on the TCP connection. Depending on h2 worker dimensioning, it was
+ possible to block those with relatively few connections. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-10098 (cve.mitre.org)
+ rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
+ matches and substitutions with encoded line break characters.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2019-10092 (cve.mitre.org)
+ Remove HTML-escaped URLs from canned error responses to prevent misleading
+ text/links being displayed via crafted links. [Eric Covener]
+
+ *) SECURITY: CVE-2019-10097 (cve.mitre.org)
+ mod_remoteip: Fix stack buffer overflow and NULL pointer deference
+ when reading the PROXY protocol header. [Joe Orton,
+ Daniel McCarney <cpu letsencrypt.org>]
+
+ *) SECURITY: CVE-2019-10082 (cve.mitre.org)
+ mod_http2: Using fuzzed network input, the http/2 session
+ handling could be made to read memory after being freed,
+ during connection shutdown. [Stefan Eissing]
+
*) mod_proxy_balancer: Improve balancer-manager protection against
XSS/XSRF attacks from trusted users. [Joe Orton,
Niels Heinen <heinenn google.com>]
@@ -118,3 +149,13 @@ Changes with Apache 2.4.40
*) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
Added: release/httpd/CURRENT-IS-2.4.41
==============================================================================
(empty)