From: Daniel Ruggeri Date: Tue, 2 Apr 2019 01:10:00 +0000 (+0000) Subject: Correct changelog for vulnerabilities X-Git-Tag: 2.4.40~155 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73ba7b5182f485a146fcf389730d594dd4c34b15;p=thirdparty%2Fapache%2Fhttpd.git Correct changelog for vulnerabilities git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1856789 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index d78116801c0..c4deafbdeae 100644 --- a/CHANGES +++ b/CHANGES @@ -2,14 +2,51 @@ Changes with Apache 2.4.40 Changes with Apache 2.4.39 + *) SECURITY: CVE-2019-0197 (cve.mitre.org) + mod_http2: fixes a possible crash when HTTP/2 was enabled for a http: + host or H2Upgrade was enabled for h2 on a https: host. An Upgrade + request from http/1.1 to http/2 that was not the first request on a + connection could lead to a misconfiguration and crash. Servers that + never enabled the h2 protocol or only enabled it for https: and + did not set "H2Upgrade on" are unaffected by this issue. + [Stefan Eissing] + + *) SECURITY: CVE-2019-0196 (cve.mitre.org) + mod_http2: using fuzzed network input, the http/2 request + handling could be made to access freed memory in string + comparision when determining the method of a request and + thus process the request incorrectly. [Stefan Eissing] + + *) SECURITY: CVE-2019-0211 (cve.mitre.org) + MPMs unix: Fix a local priviledge escalation vulnerability by not + maintaining each child's listener bucket number in the scoreboard, + preventing unprivileged code like scripts run by/on the server (e.g. via + mod_php) from modifying it persistently to abuse the priviledged main + process. [Charles Fol , Yann Ylavic] + + *) SECURITY: CVE-2019-0196 (cve.mitre.org) + mod_http2: using fuzzed network input, the http/2 request + handling could be made to access freed memory in string + comparision when determining the method of a request and + thus process the request incorrectly. [Stefan Eissing] + + *) SECURITY: CVE-2019-0217 (cve.mitre.org) + mod_auth_digest: Fix a race condition checking user credentials which + could allow a user with valid credentials to impersonate another, + under a threaded MPM. PR 63124. [Simon Kappel ] + + *) SECURITY: CVE-2019-0215 (cve.mitre.org) + mod_ssl: Fix access control bypass for per-location/per-dir client + certificate verification in TLSv1.3. + + *) SECURITY: CVE-2019-0220 (cve.mitre.org) + Merge consecutive slashes in URL's. Opt-out with + `MergeSlashes OFF`. [Eric Covener] *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend connection is recycled/reused to avoid a possible crash with some SSLProxy configurations in or context. PR 63256. [Yann Ylavic] - *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure. - [Michael Kaufmann ] - *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host PR 55348 @@ -61,13 +98,6 @@ Changes with Apache 2.4.39 *) mod_cache_socache: Avoid reallocations and be safe with outgoing data lifetime. [Yann Ylavic] - *) MPMs unix: bind the bucket number of each child to its slot number, for a - more efficient per bucket maintenance. [Yann Ylavic] - - *) mod_auth_digest: Fix a race condition. Authentication with valid - credentials could be refused in case of concurrent accesses from - different users. PR 63124. [Simon Kappel ] - *) mod_http2: enable re-use of slave connections again. Fixed slave connection keepalives counter. [Stefan Eissing]