Updates for announcement of 2.4.38

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1851837 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 1d1019fb4fbd33b4044bcdb289a12e9663102ea7..1a0fa600ec4928d69f2c0f70ed4f675d14c446d3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,21 @@ Changes with Apache 2.4.39
 
 Changes with Apache 2.4.38
 
+  *) SECURITY: CVE-2018-17199 (cve.mitre.org)
+     mod_session: mod_session_cookie does not respect expiry time allowing
+     sessions to be reused.  [Hank Ibell]
+
+  *) SECURITY: CVE-2018-17189 (cve.mitre.org)
+     mod_http2: fixes a DoS attack vector. By sending slow request bodies
+     to resources not consuming them, httpd cleanup code occupies a server
+     thread unnecessarily. This was changed to an immediate stream reset
+     which discards all stream state and incoming data.  [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-0190 (cve.mitre.org)
+     mod_ssl: Fix infinite loop triggered by a client-initiated
+     renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
+     later.  PR 63052.  [Joe Orton]
+
   *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
      PR 63052 [Joe Orton]
 

diff --git a/STATUS b/STATUS
index ea98052783db4c9cfe47d5232ca3394a69a8c01a..37bdc105cfbb1910217e5d38d842f9ceb830db3c 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -30,7 +30,7 @@ Release history:
           while x.{even}.z versions are Stable/GA releases.]
 
     2.4.39  : In development
-    2.4.38  : Tagged on January 17, 2019
+    2.4.38  : Tagged on January 17, 2019. Released on January 22, 2019.
     2.4.37  : Tagged on October 18, 2018. Released on October 23, 2018.
     2.4.36  : Tagged on October 10, 2018. Not released.
     2.4.35  : Tagged on September 17, 2018. Released on September 22, 2018.