From: Daniel Ruggeri Date: Tue, 22 Jan 2019 17:13:10 +0000 (+0000) Subject: Updates for announcement of 2.4.38 X-Git-Tag: 2.4.39~126 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1aec2091ffcc4edea2dd6cc57ddb78a872108c86;p=thirdparty%2Fapache%2Fhttpd.git Updates for announcement of 2.4.38 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1851837 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 1d1019fb4fb..1a0fa600ec4 100644 --- a/CHANGES +++ b/CHANGES @@ -3,6 +3,21 @@ Changes with Apache 2.4.39 Changes with Apache 2.4.38 + *) SECURITY: CVE-2018-17199 (cve.mitre.org) + mod_session: mod_session_cookie does not respect expiry time allowing + sessions to be reused. [Hank Ibell] + + *) SECURITY: CVE-2018-17189 (cve.mitre.org) + mod_http2: fixes a DoS attack vector. By sending slow request bodies + to resources not consuming them, httpd cleanup code occupies a server + thread unnecessarily. This was changed to an immediate stream reset + which discards all stream state and incoming data. [Stefan Eissing] + + *) SECURITY: CVE-2019-0190 (cve.mitre.org) + mod_ssl: Fix infinite loop triggered by a client-initiated + renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and + later. PR 63052. [Joe Orton] + *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation. PR 63052 [Joe Orton] diff --git a/STATUS b/STATUS index ea98052783d..37bdc105cfb 100644 --- a/STATUS +++ b/STATUS @@ -30,7 +30,7 @@ Release history: while x.{even}.z versions are Stable/GA releases.] 2.4.39 : In development - 2.4.38 : Tagged on January 17, 2019 + 2.4.38 : Tagged on January 17, 2019. Released on January 22, 2019. 2.4.37 : Tagged on October 18, 2018. Released on October 23, 2018. 2.4.36 : Tagged on October 10, 2018. Not released. 2.4.35 : Tagged on September 17, 2018. Released on September 22, 2018.