Commit dfc444b6 authored by Daniel Ruggeri's avatar Daniel Ruggeri
Browse files

Correct changelog for vulnerabilities 

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1856789 13f79535-47bb-0310-9956-ffa450edef68
parent f5cb61c6

CHANGES

+40 −10
Original line number Diff line number Diff line
@@ -2,14 +2,51 @@ 
Changes with Apache 2.4.40



Changes with Apache 2.4.39

  *) SECURITY: CVE-2019-0197 (cve.mitre.org)

     mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:

     host or H2Upgrade was enabled for h2 on a https: host. An Upgrade

     request from http/1.1 to http/2 that was not the first request on a

     connection could lead to a misconfiguration and crash. Servers that

     never enabled the h2 protocol or only enabled it for https: and

     did not set "H2Upgrade on" are unaffected by this issue.

     [Stefan Eissing]



  *) SECURITY: CVE-2019-0196 (cve.mitre.org)

     mod_http2: using fuzzed network input, the http/2 request

     handling could be made to access freed memory in string

     comparision when determining the method of a request and

     thus process the request incorrectly. [Stefan Eissing]



  *) SECURITY: CVE-2019-0211 (cve.mitre.org)

     MPMs unix: Fix a local priviledge escalation vulnerability by not

     maintaining each child's listener bucket number in the scoreboard,

     preventing unprivileged code like scripts run by/on the server (e.g. via

     mod_php) from modifying it persistently to abuse the priviledged main

     process.  [Charles Fol <folcharles gmail.com>, Yann Ylavic]



  *) SECURITY: CVE-2019-0196 (cve.mitre.org)

     mod_http2: using fuzzed network input, the http/2 request

     handling could be made to access freed memory in string

     comparision when determining the method of a request and

     thus process the request incorrectly. [Stefan Eissing]



  *) SECURITY: CVE-2019-0217 (cve.mitre.org)

     mod_auth_digest: Fix a race condition checking user credentials which

     could allow a user with valid credentials to impersonate another,

     under a threaded MPM.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]



  *) SECURITY: CVE-2019-0215 (cve.mitre.org)

     mod_ssl: Fix access control bypass for per-location/per-dir client

     certificate verification in TLSv1.3.



  *) SECURITY: CVE-2019-0220 (cve.mitre.org)

     Merge consecutive slashes in URL's. Opt-out with

     `MergeSlashes OFF`. [Eric Covener]



  *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend

     connection is recycled/reused to avoid a possible crash with some SSLProxy

     configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]



  *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.

     [Michael Kaufmann <mail michael-kaufmann.ch>]



  *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host

     PR 55348
@@ -61,13 +98,6 @@ Changes with Apache 2.4.39 
  *) mod_cache_socache: Avoid reallocations and be safe with outgoing data

     lifetime. [Yann Ylavic]



  *) MPMs unix: bind the bucket number of each child to its slot number, for a

     more efficient per bucket maintenance. [Yann Ylavic]



  *) mod_auth_digest: Fix a race condition. Authentication with valid

     credentials could be refused in case of concurrent accesses from

     different users.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]



  *) mod_http2: enable re-use of slave connections again. Fixed slave connection

     keepalives counter. [Stefan Eissing]