Updates for announcement of 2.4.41

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1865189 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index de685457990f748e64c76c16cb097d97eb4dd843..3d8cba3107ca6c6182f751e9bebc4869178f3069 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,8 +1,39 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.42
 
+  *) SECURITY: CVE-2019-10097 (cve.mitre.org)
+     mod_remoteip: Fix stack buffer overflow and NULL pointer deference
+     when reading the PROXY protocol header.  [Joe Orton,
+     Daniel McCarney <cpu letsencrypt.org>]
+
 Changes with Apache 2.4.41
 
+  *) SECURITY: CVE-2019-9517 (cve.mitre.org)
+     mod_http2: a malicious client could perform a DoS attack by flooding
+        a connection with requests and basically never reading responses
+        on the TCP connection. Depending on h2 worker dimensioning, it was
+        possible to block those with relatively few connections. [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-10098 (cve.mitre.org)
+     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
+     matches and substitutions with encoded line break characters.
+     [Yann Ylavic]
+
+  *) SECURITY: CVE-2019-10092 (cve.mitre.org)
+     Remove HTML-escaped URLs from canned error responses to prevent misleading
+     text/links being displayed via crafted links. [Eric Covener]
+
+  *) SECURITY: CVE-2019-10082 (cve.mitre.org)
+     mod_http2: Using fuzzed network input, the http/2 session
+     handling could be made to read memory after being freed,
+     during connection shutdown. [Stefan Eissing]
+
+  *) SECURITY: CVE-2019-10081 (cve.mitre.org)
+     mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
+        could lead to an overwrite of memory in the pushing request's pool,
+        leading to crashes. The memory copied is that of the configured push
+        link header values, not data supplied by the client. [Stefan Eissing]
+
   *) mod_proxy_balancer: Improve balancer-manager protection against 
      XSS/XSRF attacks from trusted users.  [Joe Orton,
      Niels Heinen <heinenn google.com>]

diff --git a/STATUS b/STATUS
index 31cd5ecc21750e59ca878be2f9a61371fa1ba728..2f3610e6e3a6beebe21cb8a4750b09751b4874a8 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -30,7 +30,7 @@ Release history:
           while x.{even}.z versions are Stable/GA releases.]
 
     2.4.42  : In development
-    2.4.41  : Tagged on August 09, 2019
+    2.4.41  : Tagged on August 09, 2019. Released on August 14, 2019.
     2.4.40  : Tagged on August 02, 2019. Not released.
     2.4.39  : Tagged on March 27, 2019. Released on April 01, 2019.
     2.4.38  : Tagged on January 17, 2019. Released on January 22, 2019.