From 57e32f2508b182a443e1e8e997b3cb511a638ee3 Mon Sep 17 00:00:00 2001 From: Daniel Ruggeri Date: Wed, 14 Aug 2019 20:52:45 +0000 Subject: [PATCH] Updates for announcement of 2.4.41 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1865189 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 31 +++++++++++++++++++++++++++++++ STATUS | 2 +- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index de685457990..3d8cba3107c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,8 +1,39 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.42 + *) SECURITY: CVE-2019-10097 (cve.mitre.org) + mod_remoteip: Fix stack buffer overflow and NULL pointer deference + when reading the PROXY protocol header. [Joe Orton, + Daniel McCarney ] + Changes with Apache 2.4.41 + *) SECURITY: CVE-2019-9517 (cve.mitre.org) + mod_http2: a malicious client could perform a DoS attack by flooding + a connection with requests and basically never reading responses + on the TCP connection. Depending on h2 worker dimensioning, it was + possible to block those with relatively few connections. [Stefan Eissing] + + *) SECURITY: CVE-2019-10098 (cve.mitre.org) + rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable + matches and substitutions with encoded line break characters. + [Yann Ylavic] + + *) SECURITY: CVE-2019-10092 (cve.mitre.org) + Remove HTML-escaped URLs from canned error responses to prevent misleading + text/links being displayed via crafted links. [Eric Covener] + + *) SECURITY: CVE-2019-10082 (cve.mitre.org) + mod_http2: Using fuzzed network input, the http/2 session + handling could be made to read memory after being freed, + during connection shutdown. [Stefan Eissing] + + *) SECURITY: CVE-2019-10081 (cve.mitre.org) + mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", + could lead to an overwrite of memory in the pushing request's pool, + leading to crashes. The memory copied is that of the configured push + link header values, not data supplied by the client. [Stefan Eissing] + *) mod_proxy_balancer: Improve balancer-manager protection against XSS/XSRF attacks from trusted users. [Joe Orton, Niels Heinen ] diff --git a/STATUS b/STATUS index 31cd5ecc217..2f3610e6e3a 100644 --- a/STATUS +++ b/STATUS @@ -30,7 +30,7 @@ Release history: while x.{even}.z versions are Stable/GA releases.] 2.4.42 : In development - 2.4.41 : Tagged on August 09, 2019 + 2.4.41 : Tagged on August 09, 2019. Released on August 14, 2019. 2.4.40 : Tagged on August 02, 2019. Not released. 2.4.39 : Tagged on March 27, 2019. Released on April 01, 2019. 2.4.38 : Tagged on January 17, 2019. Released on January 22, 2019. -- 2.47.3