You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2016/12/20 18:13:12 UTC
svn commit: r17503 - in /dev/httpd: Announcement2.4.html Announcement2.4.txt
Author: wrowe
Date: Tue Dec 20 18:13:12 2016
New Revision: 17503
Log:
Record security errata, edits in the next 45 minutes are most welcomed
Modified:
dev/httpd/Announcement2.4.html
dev/httpd/Announcement2.4.txt
Modified: dev/httpd/Announcement2.4.html
==============================================================================
--- dev/httpd/Announcement2.4.html (original)
+++ dev/httpd/Announcement2.4.html Tue Dec 20 18:13:12 2016
@@ -23,10 +23,33 @@
the release of version 2.4.25 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
- represents fifteen years of
- innovation by the project, and is recommended over all previous releases. This
- release of Apache is principally a security, feature, and bug fix release.
+ represents fifteen years of innovation by the project, and is
+ recommended over all previous releases. This release of Apache is
+ a security, feature, and bug fix release, and addresses these
+ specific security defects as well as other fixes;
</p>
+<ul>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736">CVE-2016-0736</a>
+ mod_session_crypto: Authenticate the session data/cookie with a
+ MAC (SipHash) to prevent deciphering or tampering with a padding
+ oracle attack.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161">CVE-2016-2161</a>
+ mod_auth_digest: Prevent segfaults during client entry allocation
+ when the shared memory space is exhausted.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387">CVE-2016-5387</a>
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740">CVE-2016-8740</a>
+ mod_http2: Mitigate DoS memory exhaustion via endless
+ CONTINUATION frames.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>
+ Enforce HTTP request grammar corresponding to RFC7230 for request
+ lines and request headers, to prevent response splitting and cache
+ pollution by malicious clients or downstream proxies.
+</li>
+</ul>
<p>
NOTE: version 2.4.24 was not released.
</p>
Modified: dev/httpd/Announcement2.4.txt
==============================================================================
--- dev/httpd/Announcement2.4.txt (original)
+++ dev/httpd/Announcement2.4.txt Tue Dec 20 18:13:12 2016
@@ -6,7 +6,29 @@
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- principally a security, feature, and bug fix release.
+ a security, feature, and bug fix release, and addresses these
+ specific security defects as well as other fixes;
+
+ CVE-2016-0736 (cve.mitre.org)
+ mod_session_crypto: Authenticate the session data/cookie with a
+ MAC (SipHash) to prevent deciphering or tampering with a padding
+ oracle attack.
+
+ CVE-2016-2161 (cve.mitre.org)
+ mod_auth_digest: Prevent segfaults during client entry allocation
+ when the shared memory space is exhausted.
+
+ CVE-2016-5387 (cve.mitre.org)
+ core: Mitigate [f]cgi "httpoxy" issues.
+
+ CVE-2016-8740 (cve.mitre.org)
+ mod_http2: Mitigate DoS memory exhaustion via endless
+ CONTINUATION frames.
+
+ CVE-2016-8743 (cve.mitre.org)
+ Enforce HTTP request grammar corresponding to RFC7230 for request
+ lines and request headers, to prevent response splitting and cache
+ pollution by malicious clients or downstream proxies.
NOTE: Version 2.4.24 was not released.
Re: svn commit: r17503 - in /dev/httpd: Announcement2.4.html Announcement2.4.txt
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Tue, Dec 20, 2016 at 12:34 PM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:
> On Tue, Dec 20, 2016 at 12:13 PM, <wr...@apache.org> wrote:
>
>> Author: wrowe
>> Date: Tue Dec 20 18:13:12 2016
>> New Revision: 17503
>>
>> Log:
>> Record security errata, edits in the next 45 minutes are most welcomed
>>
>> Modified:
>> dev/httpd/Announcement2.4.html
>> dev/httpd/Announcement2.4.txt
>>
>
> I'll take the Announcement live on the hour (30 min from now), anyone
> who wants to edit, the path is a little unusual;
>
> https://dist.apache.org/repos/dist/dev/httpd
>
> I'll pick up any final edits before replicating to release/dev/httpd
>
> Trying to get as much of httpd_vulnerabilities.xml caught up ahead
> of the announce as is reasonable. Doesn't help that the latest
> dnf update vim completely smashed my vim behavior ;-/
>
Accomplished with some help from jchampion as I didn't have any
smtp set up for @apache personality (the joys of being gmail-bound.)
Review of the website etc welcomed. Thanks to all who helped get
this ready, thanks again to Jim for RM'ing!
Re: svn commit: r17503 - in /dev/httpd: Announcement2.4.html Announcement2.4.txt
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Tue, Dec 20, 2016 at 12:13 PM, <wr...@apache.org> wrote:
> Author: wrowe
> Date: Tue Dec 20 18:13:12 2016
> New Revision: 17503
>
> Log:
> Record security errata, edits in the next 45 minutes are most welcomed
>
> Modified:
> dev/httpd/Announcement2.4.html
> dev/httpd/Announcement2.4.txt
>
I'll take the Announcement live on the hour (30 min from now), anyone
who wants to edit, the path is a little unusual;
https://dist.apache.org/repos/dist/dev/httpd
I'll pick up any final edits before replicating to release/dev/httpd
Trying to get as much of httpd_vulnerabilities.xml caught up ahead
of the announce as is reasonable. Doesn't help that the latest
dnf update vim completely smashed my vim behavior ;-/