Updates for announcement of 2.4.38 (2799f8a3) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+15 −0

Original line number	Diff line number	Diff line
		@@ -3,6 +3,21 @@ Changes with Apache 2.4.39

		Changes with Apache 2.4.38

		*) SECURITY: CVE-2018-17199 (cve.mitre.org)
		mod_session: mod_session_cookie does not respect expiry time allowing
		sessions to be reused. [Hank Ibell]

		*) SECURITY: CVE-2018-17189 (cve.mitre.org)
		mod_http2: fixes a DoS attack vector. By sending slow request bodies
		to resources not consuming them, httpd cleanup code occupies a server
		thread unnecessarily. This was changed to an immediate stream reset
		which discards all stream state and incoming data. [Stefan Eissing]

		*) SECURITY: CVE-2019-0190 (cve.mitre.org)
		mod_ssl: Fix infinite loop triggered by a client-initiated
		renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
		later. PR 63052. [Joe Orton]

		*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
		PR 63052 [Joe Orton]

+1 −1

Original line number	Diff line number	Diff line
		@@ -30,7 +30,7 @@ Release history:
		while x.{even}.z versions are Stable/GA releases.]

		2.4.39 : In development
		2.4.38 : Tagged on January 17, 2019
		2.4.38 : Tagged on January 17, 2019. Released on January 22, 2019.
		2.4.37 : Tagged on October 18, 2018. Released on October 23, 2018.
		2.4.36 : Tagged on October 10, 2018. Not released.
		2.4.35 : Tagged on September 17, 2018. Released on September 22, 2018.