Changes with Apache 2.4.38
+ *) SECURITY: CVE-2018-17199 (cve.mitre.org)
+ mod_session: mod_session_cookie does not respect expiry time allowing
+ sessions to be reused. [Hank Ibell]
+
+ *) SECURITY: CVE-2018-17189 (cve.mitre.org)
+ mod_http2: fixes a DoS attack vector. By sending slow request bodies
+ to resources not consuming them, httpd cleanup code occupies a server
+ thread unnecessarily. This was changed to an immediate stream reset
+ which discards all stream state and incoming data. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0190 (cve.mitre.org)
+ mod_ssl: Fix infinite loop triggered by a client-initiated
+ renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
+ later. PR 63052. [Joe Orton]
+
*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
PR 63052 [Joe Orton]
while x.{even}.z versions are Stable/GA releases.]
2.4.39 : In development
- 2.4.38 : Tagged on January 17, 2019
+ 2.4.38 : Tagged on January 17, 2019. Released on January 22, 2019.
2.4.37 : Tagged on October 18, 2018. Released on October 23, 2018.
2.4.36 : Tagged on October 10, 2018. Not released.
2.4.35 : Tagged on September 17, 2018. Released on September 22, 2018.