You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2019/08/14 20:52:42 UTC

svn commit: r35252 - in /release/httpd: Announcement2.4.html Announcement2.4.txt CHANGES_2.4 CHANGES_2.4.41 CURRENT-IS-2.4.39 CURRENT-IS-2.4.41

Author: druggeri
Date: Wed Aug 14 20:52:41 2019
New Revision: 35252

Log:
Updates for announcement of 2.4.41

Added:
    release/httpd/CURRENT-IS-2.4.41
Removed:
    release/httpd/CURRENT-IS-2.4.39
Modified:
    release/httpd/Announcement2.4.html
    release/httpd/Announcement2.4.txt
    release/httpd/CHANGES_2.4
    release/httpd/CHANGES_2.4.41

Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Wed Aug 14 20:52:41 2019
@@ -52,7 +52,7 @@
                        Apache HTTP Server 2.4.41 Released
 </h1>
 <p>
-   September 21, 2018
+   August 14, 2019
 </p>
 <p>
    The Apache Software Foundation and the Apache HTTP Server Project are
@@ -62,7 +62,7 @@
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
    recommended over all previous releases. This release of Apache is
-   a feature and bug fix release.
+   a security and bug fix release.
 </p>
 <p>
    We consider this release to be the best version of Apache available, and

Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Wed Aug 14 20:52:41 2019
@@ -1,6 +1,6 @@
                 Apache HTTP Server 2.4.41 Released
 
-   September 21, 2018
+   August 14, 2019
 
    The Apache Software Foundation and the Apache HTTP Server Project
    are pleased to announce the release of version 2.4.41 of the Apache
@@ -8,7 +8,7 @@
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
    recommended over all previous releases. This release of Apache is
-   a feature and bug fix release.
+   a security and bug fix release.
 
    We consider this release to be the best version of Apache available, and
    encourage users of all prior versions to upgrade.

Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Wed Aug 14 20:52:41 2019
@@ -1,6 +1,37 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.41
 
+  *) SECURITY: CVE-2019-10081 (cve.mitre.org)
+     mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
+     could lead to an overwrite of memory in the pushing request's pool,
+     leading to crashes. The memory copied is that of the configured push
+     link header values, not data supplied by the client. [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-9517 (cve.mitre.org)
+     mod_http2: a malicious client could perform a DoS attack by flooding
+     a connection with requests and basically never reading responses
+     on the TCP connection. Depending on h2 worker dimensioning, it was
+     possible to block those with relatively few connections. [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-10098 (cve.mitre.org)
+     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
+     matches and substitutions with encoded line break characters.
+     [Yann Ylavic]
+
+  *) SECURITY: CVE-2019-10092 (cve.mitre.org)
+     Remove HTML-escaped URLs from canned error responses to prevent misleading
+     text/links being displayed via crafted links. [Eric Covener]
+
+  *) SECURITY: CVE-2019-10097 (cve.mitre.org)
+     mod_remoteip: Fix stack buffer overflow and NULL pointer deference
+     when reading the PROXY protocol header.  [Joe Orton,
+     Daniel McCarney <cpu letsencrypt.org>]
+
+  *) SECURITY: CVE-2019-10082 (cve.mitre.org)
+     mod_http2: Using fuzzed network input, the http/2 session
+     handling could be made to read memory after being freed,
+     during connection shutdown. [Stefan Eissing]
+
   *) mod_proxy_balancer: Improve balancer-manager protection against 
      XSS/XSRF attacks from trusted users.  [Joe Orton,
      Niels Heinen <heinenn google.com>]

Modified: release/httpd/CHANGES_2.4.41
==============================================================================
--- release/httpd/CHANGES_2.4.41 (original)
+++ release/httpd/CHANGES_2.4.41 Wed Aug 14 20:52:41 2019
@@ -1,6 +1,37 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.41
 
+  *) SECURITY: CVE-2019-10081 (cve.mitre.org)
+     mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
+     could lead to an overwrite of memory in the pushing request's pool,
+     leading to crashes. The memory copied is that of the configured push
+     link header values, not data supplied by the client. [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-9517 (cve.mitre.org)
+     mod_http2: a malicious client could perform a DoS attack by flooding
+     a connection with requests and basically never reading responses
+     on the TCP connection. Depending on h2 worker dimensioning, it was
+     possible to block those with relatively few connections. [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-10098 (cve.mitre.org)
+     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
+     matches and substitutions with encoded line break characters.
+     [Yann Ylavic]
+
+  *) SECURITY: CVE-2019-10092 (cve.mitre.org)
+     Remove HTML-escaped URLs from canned error responses to prevent misleading
+     text/links being displayed via crafted links. [Eric Covener]
+
+  *) SECURITY: CVE-2019-10097 (cve.mitre.org)
+     mod_remoteip: Fix stack buffer overflow and NULL pointer deference
+     when reading the PROXY protocol header.  [Joe Orton,
+     Daniel McCarney <cpu letsencrypt.org>]
+
+  *) SECURITY: CVE-2019-10082 (cve.mitre.org)
+     mod_http2: Using fuzzed network input, the http/2 session
+     handling could be made to read memory after being freed,
+     during connection shutdown. [Stefan Eissing]
+
   *) mod_proxy_balancer: Improve balancer-manager protection against 
      XSS/XSRF attacks from trusted users.  [Joe Orton,
      Niels Heinen <heinenn google.com>]
@@ -118,3 +149,13 @@ Changes with Apache 2.4.40
   *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
      spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
 
+  [Apache 2.3.0-dev includes those bug fixes and changes with the
+   Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+  *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+  *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup

Added: release/httpd/CURRENT-IS-2.4.41
==============================================================================
    (empty)