From 1aec2091ffcc4edea2dd6cc57ddb78a872108c86 Mon Sep 17 00:00:00 2001 From: Daniel Ruggeri Date: Tue, 22 Jan 2019 17:13:10 +0000 Subject: [PATCH] Updates for announcement of 2.4.38 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1851837 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 15 +++++++++++++++ STATUS | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 1d1019fb4fb..1a0fa600ec4 100644 --- a/CHANGES +++ b/CHANGES @@ -3,6 +3,21 @@ Changes with Apache 2.4.39 Changes with Apache 2.4.38 + *) SECURITY: CVE-2018-17199 (cve.mitre.org) + mod_session: mod_session_cookie does not respect expiry time allowing + sessions to be reused. [Hank Ibell] + + *) SECURITY: CVE-2018-17189 (cve.mitre.org) + mod_http2: fixes a DoS attack vector. By sending slow request bodies + to resources not consuming them, httpd cleanup code occupies a server + thread unnecessarily. This was changed to an immediate stream reset + which discards all stream state and incoming data. [Stefan Eissing] + + *) SECURITY: CVE-2019-0190 (cve.mitre.org) + mod_ssl: Fix infinite loop triggered by a client-initiated + renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and + later. PR 63052. [Joe Orton] + *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation. PR 63052 [Joe Orton] diff --git a/STATUS b/STATUS index ea98052783d..37bdc105cfb 100644 --- a/STATUS +++ b/STATUS @@ -30,7 +30,7 @@ Release history: while x.{even}.z versions are Stable/GA releases.] 2.4.39 : In development - 2.4.38 : Tagged on January 17, 2019 + 2.4.38 : Tagged on January 17, 2019. Released on January 22, 2019. 2.4.37 : Tagged on October 18, 2018. Released on October 23, 2018. 2.4.36 : Tagged on October 10, 2018. Not released. 2.4.35 : Tagged on September 17, 2018. Released on September 22, 2018. -- 2.47.3