You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2019/08/14 20:52:45 UTC
svn commit: r1865189 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS
Author: druggeri
Date: Wed Aug 14 20:52:45 2019
New Revision: 1865189
URL: http://svn.apache.org/viewvc?rev=1865189&view=rev
Log:
Updates for announcement of 2.4.41
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1865189&r1=1865188&r2=1865189&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Wed Aug 14 20:52:45 2019
@@ -1,8 +1,39 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.42
+ *) SECURITY: CVE-2019-10097 (cve.mitre.org)
+ mod_remoteip: Fix stack buffer overflow and NULL pointer deference
+ when reading the PROXY protocol header. [Joe Orton,
+ Daniel McCarney <cpu letsencrypt.org>]
+
Changes with Apache 2.4.41
+ *) SECURITY: CVE-2019-9517 (cve.mitre.org)
+ mod_http2: a malicious client could perform a DoS attack by flooding
+ a connection with requests and basically never reading responses
+ on the TCP connection. Depending on h2 worker dimensioning, it was
+ possible to block those with relatively few connections. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-10098 (cve.mitre.org)
+ rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
+ matches and substitutions with encoded line break characters.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2019-10092 (cve.mitre.org)
+ Remove HTML-escaped URLs from canned error responses to prevent misleading
+ text/links being displayed via crafted links. [Eric Covener]
+
+ *) SECURITY: CVE-2019-10082 (cve.mitre.org)
+ mod_http2: Using fuzzed network input, the http/2 session
+ handling could be made to read memory after being freed,
+ during connection shutdown. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-10081 (cve.mitre.org)
+ mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
+ could lead to an overwrite of memory in the pushing request's pool,
+ leading to crashes. The memory copied is that of the configured push
+ link header values, not data supplied by the client. [Stefan Eissing]
+
*) mod_proxy_balancer: Improve balancer-manager protection against
XSS/XSRF attacks from trusted users. [Joe Orton,
Niels Heinen <heinenn google.com>]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1865189&r1=1865188&r2=1865189&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Wed Aug 14 20:52:45 2019
@@ -30,7 +30,7 @@ Release history:
while x.{even}.z versions are Stable/GA releases.]
2.4.42 : In development
- 2.4.41 : Tagged on August 09, 2019
+ 2.4.41 : Tagged on August 09, 2019. Released on August 14, 2019.
2.4.40 : Tagged on August 02, 2019. Not released.
2.4.39 : Tagged on March 27, 2019. Released on April 01, 2019.
2.4.38 : Tagged on January 17, 2019. Released on January 22, 2019.