-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-a4ed7400f4 2019-05-14 01:05:19.928536 --------------------------------------------------------------------------------
Name : httpd Product : Fedora 28 Version : 2.4.39 Release : 1.1.fc28 URL : https://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server.
-------------------------------------------------------------------------------- Update Information:
This update includes the latest upstream release of **Apache httpd**, version **2.4.39**, including multiple bug and security fixes. To see the full list of changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.39 The following security vulnerabilities are addressed: * `CVE-2019-0211` - MPMs unix: Fix a local priviledge escalation vulnerability by not maintaining each child's listener bucket number in the scoreboard, preventing unprivileged code like scripts run by/on the server (e.g. via mod_php) from modifying it persistently to abuse the priviledged main process. * `CVE-2019-0215` - mod_ssl: Fix access control bypass for per-location/per-dir client certificate verification in TLSv1.3. * `CVE-2019-0217` - mod_auth_digest: Fix a race condition checking user credentials which could allow a user with valid credentials to impersonate another, under a threaded MPM. * `CVE-2019-0220`- Merge consecutive slashes in URL's. Opt-out with `MergeSlashes OFF`. -------------------------------------------------------------------------------- ChangeLog:
* Fri May 3 2019 Joe Orton jorton@redhat.com - 2.4.39-1.1 - mod_reqtimeout: fix default values regression (PR 63325) * Tue Apr 2 2019 Lubos Uhliarik luhliari@redhat.com - 2.4.39-1 - new version 2.4.39 * Mon Nov 26 2018 Lubos Uhliarik luhliari@redhat.com - 2.4.34-4 - Resolves: #1652678 - TLS connection allowed while all protocols are forbidden * Fri Jul 20 2018 Joe Orton jorton@redhat.com - 2.4.34-3 - mod_ssl: fix OCSP regression (upstream r1555631) * Wed Jul 18 2018 Joe Orton jorton@redhat.com - 2.4.34-2 - update Obsoletes for mod_proxy_uswgi (#1599113) * Wed Jul 18 2018 Joe Orton jorton@redhat.com - 2.4.34-1 - update to 2.4.34 (#1601160) * Mon Jul 16 2018 Joe Orton jorton@redhat.com - 2.4.33-10 - don't block on service try-restart in posttrans scriptlet - add Lua-based /server-status example page to docs - obsoletes: and provides: for mod_proxy_uswgi (#1599113) * Fri Jul 13 2018 Fedora Release Engineering releng@fedoraproject.org - 2.4.33-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Fri Jul 6 2018 Joe Orton jorton@redhat.com - 2.4.33-8 - add per-request memory leak fix (upstream r1833014) * Fri Jul 6 2018 Joe Orton jorton@redhat.com - 2.4.33-7 - mod_ssl: add PKCS#11 cert/key support (Anderson Sasaki) * Tue Jun 12 2018 Joe Orton jorton@redhat.com - 2.4.33-6 - mod_systemd: show bound ports in status and log to journal at startup. * Thu Apr 19 2018 Joe Orton jorton@redhat.com - 2.4.33-5 - add httpd@.service; update httpd.service(8) and add new stub * Mon Apr 16 2018 Joe Orton jorton@redhat.com - 2.4.33-4 - mod_md: change hard-coded default MdStoreDir to state/md (#1563846) * Thu Apr 12 2018 Joe Orton jorton@redhat.com - 2.4.33-3 - mod_ssl: drop implicit 'SSLEngine on' for vhost w/o certs (#1564537) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1694986 - CVE-2019-0211 httpd: privilege escalation from modules scripts [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1694986 [ 2 ] Bug #1695046 - CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 httpd: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1695046 [ 3 ] Bug #1694510 - httpd-2.4.39 is available https://bugzilla.redhat.com/show_bug.cgi?id=1694510 [ 4 ] Bug #1698719 - fix a regression introduced in r1740928 https://bugzilla.redhat.com/show_bug.cgi?id=1698719 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-a4ed7400f4' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------