You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2019/04/02 01:04:50 UTC
svn commit: r33393 - /release/httpd/CHANGES_2.4
Author: druggeri
Date: Tue Apr 2 01:04:50 2019
New Revision: 33393
Log:
Correct changelog for vulnerabilities
Modified:
release/httpd/CHANGES_2.4
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Tue Apr 2 01:04:50 2019
@@ -1,13 +1,50 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.39
+ *) SECURITY: CVE-2019-0197 (cve.mitre.org)
+ mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
+ host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
+ request from http/1.1 to http/2 that was not the first request on a
+ connection could lead to a misconfiguration and crash. Servers that
+ never enabled the h2 protocol or only enabled it for https: and
+ did not set "H2Upgrade on" are unaffected by this issue.
+ [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0196 (cve.mitre.org)
+ mod_http2: using fuzzed network input, the http/2 request
+ handling could be made to access freed memory in string
+ comparision when determining the method of a request and
+ thus process the request incorrectly. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0211 (cve.mitre.org)
+ MPMs unix: Fix a local priviledge escalation vulnerability by not
+ maintaining each child's listener bucket number in the scoreboard,
+ preventing unprivileged code like scripts run by/on the server (e.g. via
+ mod_php) from modifying it persistently to abuse the priviledged main
+ process. [Charles Fol <folcharles gmail.com>, Yann Ylavic]
+
+ *) SECURITY: CVE-2019-0196 (cve.mitre.org)
+ mod_http2: using fuzzed network input, the http/2 request
+ handling could be made to access freed memory in string
+ comparision when determining the method of a request and
+ thus process the request incorrectly. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0217 (cve.mitre.org)
+ mod_auth_digest: Fix a race condition checking user credentials which
+ could allow a user with valid credentials to impersonate another,
+ under a threaded MPM. PR 63124. [Simon Kappel <simon.kappel axis.com>]
+
+ *) SECURITY: CVE-2019-0215 (cve.mitre.org)
+ mod_ssl: Fix access control bypass for per-location/per-dir client
+ certificate verification in TLSv1.3.
+
+ *) SECURITY: CVE-2019-0220 (cve.mitre.org)
+ Merge consecutive slashes in URL's. Opt-out with
+ `MergeSlashes OFF`. [Eric Covener]
*) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
connection is recycled/reused to avoid a possible crash with some SSLProxy
configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
- *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
- [Michael Kaufmann <mail michael-kaufmann.ch>]
-
*) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
PR 55348
@@ -59,13 +96,6 @@ Changes with Apache 2.4.39
*) mod_cache_socache: Avoid reallocations and be safe with outgoing data
lifetime. [Yann Ylavic]
- *) MPMs unix: bind the bucket number of each child to its slot number, for a
- more efficient per bucket maintenance. [Yann Ylavic]
-
- *) mod_auth_digest: Fix a race condition. Authentication with valid
- credentials could be refused in case of concurrent accesses from
- different users. PR 63124. [Simon Kappel <simon.kappel axis.com>]
-
*) mod_http2: enable re-use of slave connections again. Fixed slave connection
keepalives counter. [Stefan Eissing]
re: svn commit: r33393 - /release/httpd/CHANGES_2.4
Posted by Daniel Ruggeri <dr...@primary.net>.
The announcement message was also rejected by moderators because we don't have KEYS directly linked on the download page.
I will correct both (about three hrs from now) and reattempt announcement.
--
Daniel Ruggeri
On April 2, 2019 1:01:31 AM CDT, Marion et Christophe JAILLET <ch...@wanadoo.fr> wrote:
>Hi,
>
>
>
>CHANGES_2.4 has been updated with the SECURITY tags and is available
>from httpd.a.o.
>
>However, http://www.apache.org/dist/httpd/CHANGES_2.4.39 still reflects
>the file without these SECURITY items.
>
>
>
>I won't be able to update it before Friday, so feel free to fix it in
>the meantime.
>
>
>
>CJ
>
>
>
>
>
>
>
>> Message du 02/04/19 03:04
>> De : druggeri@apache.org
>> A : cvs@httpd.apache.org
>> Copie à :
>> Objet : svn commit: r33393 - /release/httpd/CHANGES_2.4
>>
>> Author: druggeri
>> Date: Tue Apr 2 01:04:50 2019
>> New Revision: 33393
>>
>> Log:
>> Correct changelog for vulnerabilities
>>
>> Modified:
>> release/httpd/CHANGES_2.4
>>
>> Modified: release/httpd/CHANGES_2.4
>>
>==============================================================================
>> --- release/httpd/CHANGES_2.4 (original)
>> +++ release/httpd/CHANGES_2.4 Tue Apr 2 01:04:50 2019
>> @@ -1,13 +1,50 @@
>> -*- coding: utf-8 -*-
>> Changes with Apache 2.4.39
>> + *) SECURITY: CVE-2019-0197 (cve.mitre.org)
>> + mod_http2: fixes a possible crash when HTTP/2 was enabled for a
>http:
>> + host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
>> + request from http/1.1 to http/2 that was not the first request on a
>> + connection could lead to a misconfiguration and crash. Servers that
>> + never enabled the h2 protocol or only enabled it for https: and
>> + did not set "H2Upgrade on" are unaffected by this issue.
>> + [Stefan Eissing]
>> +
>> + *) SECURITY: CVE-2019-0196 (cve.mitre.org)
>> + mod_http2: using fuzzed network input, the http/2 request
>> + handling could be made to access freed memory in string
>> + comparision when determining the method of a request and
>> + thus process the request incorrectly. [Stefan Eissing]
>> +
>> + *) SECURITY: CVE-2019-0211 (cve.mitre.org)
>> + MPMs unix: Fix a local priviledge escalation vulnerability by not
>> + maintaining each child's listener bucket number in the scoreboard,
>> + preventing unprivileged code like scripts run by/on the server
>(e.g. via
>> + mod_php) from modifying it persistently to abuse the priviledged
>main
>> + process. [Charles Fol , Yann Ylavic]
>> +
>> + *) SECURITY: CVE-2019-0196 (cve.mitre.org)
>> + mod_http2: using fuzzed network input, the http/2 request
>> + handling could be made to access freed memory in string
>> + comparision when determining the method of a request and
>> + thus process the request incorrectly. [Stefan Eissing]
>> +
>> + *) SECURITY: CVE-2019-0217 (cve.mitre.org)
>> + mod_auth_digest: Fix a race condition checking user credentials
>which
>> + could allow a user with valid credentials to impersonate another,
>> + under a threaded MPM. PR 63124. [Simon Kappel ]
>> +
>> + *) SECURITY: CVE-2019-0215 (cve.mitre.org)
>> + mod_ssl: Fix access control bypass for per-location/per-dir client
>> + certificate verification in TLSv1.3.
>> +
>> + *) SECURITY: CVE-2019-0220 (cve.mitre.org)
>> + Merge consecutive slashes in URL's. Opt-out with
>> + `MergeSlashes OFF`. [Eric Covener]
>>
>> *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a
>backend
>> connection is recycled/reused to avoid a possible crash with some
>SSLProxy
>> configurations in or context. PR 63256. [Yann Ylavic]
>>
>> - *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA
>failure.
>> - [Michael Kaufmann ]
>> -
>> *) mod_log_config: Support %{c}h for conn-hostname, %h for
>useragent_host
>> PR 55348
>>
>> @@ -59,13 +96,6 @@ Changes with Apache 2.4.39
>> *) mod_cache_socache: Avoid reallocations and be safe with outgoing
>data
>> lifetime. [Yann Ylavic]
>>
>> - *) MPMs unix: bind the bucket number of each child to its slot
>number, for a
>> - more efficient per bucket maintenance. [Yann Ylavic]
>> -
>> - *) mod_auth_digest: Fix a race condition. Authentication with valid
>> - credentials could be refused in case of concurrent accesses from
>> - different users. PR 63124. [Simon Kappel ]
>> -
>> *) mod_http2: enable re-use of slave connections again. Fixed slave
>connection
>> keepalives counter. [Stefan Eissing]
>>
>>
>>
>>
re: svn commit: r33393 - /release/httpd/CHANGES_2.4
Posted by Marion et Christophe JAILLET <ch...@wanadoo.fr>.
Hi,
CHANGES_2.4 has been updated with the SECURITY tags and is available from httpd.a.o.
However, http://www.apache.org/dist/httpd/CHANGES_2.4.39 still reflects the file without these SECURITY items.
I won't be able to update it before Friday, so feel free to fix it in the meantime.
CJ
> Message du 02/04/19 03:04
> De : druggeri@apache.org
> A : cvs@httpd.apache.org
> Copie à :
> Objet : svn commit: r33393 - /release/httpd/CHANGES_2.4
>
> Author: druggeri
> Date: Tue Apr 2 01:04:50 2019
> New Revision: 33393
>
> Log:
> Correct changelog for vulnerabilities
>
> Modified:
> release/httpd/CHANGES_2.4
>
> Modified: release/httpd/CHANGES_2.4
> ==============================================================================
> --- release/httpd/CHANGES_2.4 (original)
> +++ release/httpd/CHANGES_2.4 Tue Apr 2 01:04:50 2019
> @@ -1,13 +1,50 @@
> -*- coding: utf-8 -*-
> Changes with Apache 2.4.39
> + *) SECURITY: CVE-2019-0197 (cve.mitre.org)
> + mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
> + host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
> + request from http/1.1 to http/2 that was not the first request on a
> + connection could lead to a misconfiguration and crash. Servers that
> + never enabled the h2 protocol or only enabled it for https: and
> + did not set "H2Upgrade on" are unaffected by this issue.
> + [Stefan Eissing]
> +
> + *) SECURITY: CVE-2019-0196 (cve.mitre.org)
> + mod_http2: using fuzzed network input, the http/2 request
> + handling could be made to access freed memory in string
> + comparision when determining the method of a request and
> + thus process the request incorrectly. [Stefan Eissing]
> +
> + *) SECURITY: CVE-2019-0211 (cve.mitre.org)
> + MPMs unix: Fix a local priviledge escalation vulnerability by not
> + maintaining each child's listener bucket number in the scoreboard,
> + preventing unprivileged code like scripts run by/on the server (e.g. via
> + mod_php) from modifying it persistently to abuse the priviledged main
> + process. [Charles Fol , Yann Ylavic]
> +
> + *) SECURITY: CVE-2019-0196 (cve.mitre.org)
> + mod_http2: using fuzzed network input, the http/2 request
> + handling could be made to access freed memory in string
> + comparision when determining the method of a request and
> + thus process the request incorrectly. [Stefan Eissing]
> +
> + *) SECURITY: CVE-2019-0217 (cve.mitre.org)
> + mod_auth_digest: Fix a race condition checking user credentials which
> + could allow a user with valid credentials to impersonate another,
> + under a threaded MPM. PR 63124. [Simon Kappel ]
> +
> + *) SECURITY: CVE-2019-0215 (cve.mitre.org)
> + mod_ssl: Fix access control bypass for per-location/per-dir client
> + certificate verification in TLSv1.3.
> +
> + *) SECURITY: CVE-2019-0220 (cve.mitre.org)
> + Merge consecutive slashes in URL's. Opt-out with
> + `MergeSlashes OFF`. [Eric Covener]
>
> *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
> connection is recycled/reused to avoid a possible crash with some SSLProxy
> configurations in or context. PR 63256. [Yann Ylavic]
>
> - *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
> - [Michael Kaufmann ]
> -
> *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
> PR 55348
>
> @@ -59,13 +96,6 @@ Changes with Apache 2.4.39
> *) mod_cache_socache: Avoid reallocations and be safe with outgoing data
> lifetime. [Yann Ylavic]
>
> - *) MPMs unix: bind the bucket number of each child to its slot number, for a
> - more efficient per bucket maintenance. [Yann Ylavic]
> -
> - *) mod_auth_digest: Fix a race condition. Authentication with valid
> - credentials could be refused in case of concurrent accesses from
> - different users. PR 63124. [Simon Kappel ]
> -
> *) mod_http2: enable re-use of slave connections again. Fixed slave connection
> keepalives counter. [Stefan Eissing]
>
>
>
>