--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-119b14075a
2019-04-06 19:42:42.476842
--------------------------------------------------------------------------------
Name : httpd
Product : Fedora 29
Version : 2.4.39
Release : 2.fc29
URL :
https://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
--------------------------------------------------------------------------------
Update Information:
This update includes the latest upstream release of **Apache httpd**, version
**2.4.39**, including multiple bug and security fixes. To see the full list of
changes in this release, see:
https://www.apache.org/dist/httpd/CHANGES_2.4.39
The following security vulnerabilities are addressed: * `CVE-2019-0211` -
MPMs unix: Fix a local priviledge escalation vulnerability by not
maintaining each child's listener bucket number in the scoreboard,
preventing unprivileged code like scripts run by/on the server (e.g. via
mod_php) from modifying it persistently to abuse the priviledged main
process. * `CVE-2019-0215` - mod_ssl: Fix access control bypass for per-
location/per-dir client certificate verification in TLSv1.3. *
`CVE-2019-0217` - mod_auth_digest: Fix a race condition checking user
credentials which could allow a user with valid credentials to impersonate
another, under a threaded MPM. * `CVE-2019-0220`- Merge
consecutive slashes in URL's. Opt-out with `MergeSlashes OFF`.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 2 2019 Lubos Uhliarik <luhliari(a)redhat.com> - 2.4.39-2
- update to 2.4.39
* Thu Feb 28 2019 Joe Orton <jorton(a)redhat.com> - 2.4.38-6
- apachectl: cleanup and replace script wholesale (#1641237)
* drop "apachectl fullstatus" support
* run systemctl with --no-pager option
* implement graceful&graceful-stop by signal directly
- run "httpd -t" from legacy action script
* Tue Feb 5 2019 Lubos Uhliarik <luhliari(a)redhat.com> - 2.4.38-5
- segmentation fault fix (FIPS)
* Tue Feb 5 2019 Joe Orton <jorton(a)redhat.com> - 2.4.38-4
- use serverroot-relative statedir, rundir by default
* Fri Feb 1 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.4.38-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Jan 23 2019 Lubos Uhliarik <luhliari(a)redhat.com> - 2.4.38-2
- new version 2.4.38 (#1668125)
* Mon Jan 14 2019 Bj��rn Esser <besser82(a)fedoraproject.org> - 2.4.37-6
- Rebuilt for libcrypt.so.2 (#1666033)
* Thu Nov 22 2018 Lubos Uhliarik <luhliari(a)redhat.com> - 2.4.37-5
- Resolves: #1652678 - TLS connection allowed while all protocols are forbidden
* Thu Nov 8 2018 Joe Orton <jorton(a)redhat.com> - 2.4.37-4
- add httpd.conf(5) (#1611361)
* Wed Nov 7 2018 Lubo�� Uhliarik <luhliari(a)redhat.com> - 2.4.37-3
- Resolves: #1647241 - fix apachectl script
* Wed Oct 31 2018 Joe Orton <jorton(a)redhat.com> - 2.4.37-2
- add DefaultStateDir/ap_state_dir_relative()
- mod_dav_fs: use state dir for default DAVLockDB
- mod_md: use state dir for default MDStoreDir
* Wed Oct 31 2018 Joe Orton <jorton(a)redhat.com> - 2.4.37-1
- update to 2.4.37
* Wed Oct 31 2018 Joe Orton <jorton(a)redhat.com> - 2.4.34-11
- add htcacheclean.service(8) man page
* Fri Sep 28 2018 Joe Orton <jorton(a)redhat.com> - 2.4.34-10
- apachectl: don't read /etc/sysconfig/httpd
* Tue Sep 25 2018 Joe Orton <jorton(a)redhat.com> - 2.4.34-9
- fix build if OpenSSL built w/o SSLv3 support
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1694986 - CVE-2019-0211 httpd: privilege escalation from modules scripts
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1694986
[ 2 ] Bug #1695046 - CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 httpd: various flaws
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1695046
[ 3 ] Bug #1694510 - httpd-2.4.39 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1694510
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-119b14075a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------