You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2019/04/02 01:10:00 UTC
svn commit: r1856789 - /httpd/httpd/branches/2.4.x/CHANGES
Author: druggeri
Date: Tue Apr 2 01:10:00 2019
New Revision: 1856789
URL: http://svn.apache.org/viewvc?rev=1856789&view=rev
Log:
Correct changelog for vulnerabilities
Modified:
httpd/httpd/branches/2.4.x/CHANGES
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1856789&r1=1856788&r2=1856789&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Apr 2 01:10:00 2019
@@ -2,14 +2,51 @@
Changes with Apache 2.4.40
Changes with Apache 2.4.39
+ *) SECURITY: CVE-2019-0197 (cve.mitre.org)
+ mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
+ host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
+ request from http/1.1 to http/2 that was not the first request on a
+ connection could lead to a misconfiguration and crash. Servers that
+ never enabled the h2 protocol or only enabled it for https: and
+ did not set "H2Upgrade on" are unaffected by this issue.
+ [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0196 (cve.mitre.org)
+ mod_http2: using fuzzed network input, the http/2 request
+ handling could be made to access freed memory in string
+ comparision when determining the method of a request and
+ thus process the request incorrectly. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0211 (cve.mitre.org)
+ MPMs unix: Fix a local priviledge escalation vulnerability by not
+ maintaining each child's listener bucket number in the scoreboard,
+ preventing unprivileged code like scripts run by/on the server (e.g. via
+ mod_php) from modifying it persistently to abuse the priviledged main
+ process. [Charles Fol <folcharles gmail.com>, Yann Ylavic]
+
+ *) SECURITY: CVE-2019-0196 (cve.mitre.org)
+ mod_http2: using fuzzed network input, the http/2 request
+ handling could be made to access freed memory in string
+ comparision when determining the method of a request and
+ thus process the request incorrectly. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0217 (cve.mitre.org)
+ mod_auth_digest: Fix a race condition checking user credentials which
+ could allow a user with valid credentials to impersonate another,
+ under a threaded MPM. PR 63124. [Simon Kappel <simon.kappel axis.com>]
+
+ *) SECURITY: CVE-2019-0215 (cve.mitre.org)
+ mod_ssl: Fix access control bypass for per-location/per-dir client
+ certificate verification in TLSv1.3.
+
+ *) SECURITY: CVE-2019-0220 (cve.mitre.org)
+ Merge consecutive slashes in URL's. Opt-out with
+ `MergeSlashes OFF`. [Eric Covener]
*) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
connection is recycled/reused to avoid a possible crash with some SSLProxy
configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
- *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
- [Michael Kaufmann <mail michael-kaufmann.ch>]
-
*) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
PR 55348
@@ -61,13 +98,6 @@ Changes with Apache 2.4.39
*) mod_cache_socache: Avoid reallocations and be safe with outgoing data
lifetime. [Yann Ylavic]
- *) MPMs unix: bind the bucket number of each child to its slot number, for a
- more efficient per bucket maintenance. [Yann Ylavic]
-
- *) mod_auth_digest: Fix a race condition. Authentication with valid
- credentials could be refused in case of concurrent accesses from
- different users. PR 63124. [Simon Kappel <simon.kappel axis.com>]
-
*) mod_http2: enable re-use of slave connections again. Fixed slave connection
keepalives counter. [Stefan Eissing]