[Buildroot] [PATCH] package/apache: security bump to version 2.4.38

Peter Korsgaard peter at korsgaard.com
Tue Jan 29 18:29:52 UTC 2019


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security vulnerabilities:
 >   *) SECURITY: CVE-2018-17199 (cve.mitre.org)
 >      mod_session: mod_session_cookie does not respect expiry time allowing
 >      sessions to be reused.  [Hank Ibell]

 >   *) SECURITY: CVE-2018-17189 (cve.mitre.org)
 >      mod_http2: fixes a DoS attack vector. By sending slow request bodies
 >      to resources not consuming them, httpd cleanup code occupies a server
 >      thread unnecessarily. This was changed to an immediate stream reset
 >      which discards all stream state and incoming data.  [Stefan Eissing]

 >   *) SECURITY: CVE-2019-0190 (cve.mitre.org)
 >      mod_ssl: Fix infinite loop triggered by a client-initiated
 >      renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
 >      later.  PR 63052.  [Joe Orton]

 > For more details, see the CHANGES file:
 > https://www.apache.org/dist/httpd/CHANGES_2.4.38

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2018.02.x and 2018.11.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list