[SECURITY] Fedora 29 Update: httpd-2.4.39-2.fc29

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-119b14075a 2019-04-06 19:42:42.476842 -------------------------------------------------------------------------------- Name : httpd Product : Fedora 29 Version : 2.4.39 Release : 2.fc29 URL : https://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. -------------------------------------------------------------------------------- Update Information: This update includes the latest upstream release of **Apache httpd**, version **2.4.39**, including multiple bug and security fixes. To see the full list of changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.39 The following security vulnerabilities are addressed: * `CVE-2019-0211` - MPMs unix: Fix a local priviledge escalation vulnerability by not maintaining each child's listener bucket number in the scoreboard, preventing unprivileged code like scripts run by/on the server (e.g. via mod_php) from modifying it persistently to abuse the priviledged main process. * `CVE-2019-0215` - mod_ssl: Fix access control bypass for per- location/per-dir client certificate verification in TLSv1.3. * `CVE-2019-0217` - mod_auth_digest: Fix a race condition checking user credentials which could allow a user with valid credentials to impersonate another, under a threaded MPM. * `CVE-2019-0220`- Merge consecutive slashes in URL's. Opt-out with `MergeSlashes OFF`. -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 2 2019 Lubos Uhliarik <luhliari(a)redhat.com&gt; - 2.4.39-2 - update to 2.4.39 * Thu Feb 28 2019 Joe Orton <jorton(a)redhat.com&gt; - 2.4.38-6 - apachectl: cleanup and replace script wholesale (#1641237) * drop "apachectl fullstatus" support * run systemctl with --no-pager option * implement graceful&graceful-stop by signal directly - run "httpd -t" from legacy action script * Tue Feb 5 2019 Lubos Uhliarik <luhliari(a)redhat.com&gt; - 2.4.38-5 - segmentation fault fix (FIPS) * Tue Feb 5 2019 Joe Orton <jorton(a)redhat.com&gt; - 2.4.38-4 - use serverroot-relative statedir, rundir by default * Fri Feb 1 2019 Fedora Release Engineering <releng(a)fedoraproject.org&gt; - 2.4.38-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Wed Jan 23 2019 Lubos Uhliarik <luhliari(a)redhat.com&gt; - 2.4.38-2 - new version 2.4.38 (#1668125) * Mon Jan 14 2019 Bj��rn Esser <besser82(a)fedoraproject.org&gt; - 2.4.37-6 - Rebuilt for libcrypt.so.2 (#1666033) * Thu Nov 22 2018 Lubos Uhliarik <luhliari(a)redhat.com&gt; - 2.4.37-5 - Resolves: #1652678 - TLS connection allowed while all protocols are forbidden * Thu Nov 8 2018 Joe Orton <jorton(a)redhat.com&gt; - 2.4.37-4 - add httpd.conf(5) (#1611361) * Wed Nov 7 2018 Lubo�� Uhliarik <luhliari(a)redhat.com&gt; - 2.4.37-3 - Resolves: #1647241 - fix apachectl script * Wed Oct 31 2018 Joe Orton <jorton(a)redhat.com&gt; - 2.4.37-2 - add DefaultStateDir/ap_state_dir_relative() - mod_dav_fs: use state dir for default DAVLockDB - mod_md: use state dir for default MDStoreDir * Wed Oct 31 2018 Joe Orton <jorton(a)redhat.com&gt; - 2.4.37-1 - update to 2.4.37 * Wed Oct 31 2018 Joe Orton <jorton(a)redhat.com&gt; - 2.4.34-11 - add htcacheclean.service(8) man page * Fri Sep 28 2018 Joe Orton <jorton(a)redhat.com&gt; - 2.4.34-10 - apachectl: don't read /etc/sysconfig/httpd * Tue Sep 25 2018 Joe Orton <jorton(a)redhat.com&gt; - 2.4.34-9 - fix build if OpenSSL built w/o SSLv3 support -------------------------------------------------------------------------------- References: [ 1 ] Bug #1694986 - CVE-2019-0211 httpd: privilege escalation from modules scripts [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1694986 [ 2 ] Bug #1695046 - CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 httpd: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1695046 [ 3 ] Bug #1694510 - httpd-2.4.39 is available https://bugzilla.redhat.com/show_bug.cgi?id=1694510 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-119b14075a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------