[Buildroot] [PATCH] package/apache: security bump to version 2.4.39

Peter Korsgaard peter at korsgaard.com
Wed Apr 3 07:24:42 UTC 2019


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security vulnerabilities:
 >   *) SECURITY: CVE-2019-0197 (cve.mitre.org)
 >      mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
 >      host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
 >      request from http/1.1 to http/2 that was not the first request on a
 >      connection could lead to a misconfiguration and crash. Servers that
 >      never enabled the h2 protocol or only enabled it for https: and
 >      did not set "H2Upgrade on" are unaffected by this issue.
 >      [Stefan Eissing]

 >   *) SECURITY: CVE-2019-0196 (cve.mitre.org)
 >      mod_http2: using fuzzed network input, the http/2 request
 >      handling could be made to access freed memory in string
 >      comparision when determining the method of a request and
 >      thus process the request incorrectly. [Stefan Eissing]

 >   *) SECURITY: CVE-2019-0211 (cve.mitre.org)
 >      MPMs unix: Fix a local priviledge escalation vulnerability by not
 >      maintaining each child's listener bucket number in the scoreboard,
 >      preventing unprivileged code like scripts run by/on the server (e.g. via
 >      mod_php) from modifying it persistently to abuse the priviledged main
 >      process.  [Charles Fol <folcharles gmail.com>, Yann Ylavic]

 >   *) SECURITY: CVE-2019-0196 (cve.mitre.org)
 >      mod_http2: using fuzzed network input, the http/2 request
 >      handling could be made to access freed memory in string
 >      comparision when determining the method of a request and
 >      thus process the request incorrectly. [Stefan Eissing]

 >   *) SECURITY: CVE-2019-0217 (cve.mitre.org)
 >      mod_auth_digest: Fix a race condition checking user credentials which
 >      could allow a user with valid credentials to impersonate another,
 >      under a threaded MPM.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]

 >   *) SECURITY: CVE-2019-0215 (cve.mitre.org)
 >      mod_ssl: Fix access control bypass for per-location/per-dir client
 >      certificate verification in TLSv1.3.

 >   *) SECURITY: CVE-2019-0220 (cve.mitre.org)
 >      Merge consecutive slashes in URL's. Opt-out with
 >      `MergeSlashes OFF`. [Eric Covener]

 > For more details, see the CHANGES file:
 > https://www.apache.org/dist/httpd/CHANGES_2.4.39

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list