[ubuntu/bionic-security] apache2 2.4.29-1ubuntu4.10 (Accepted)

Steve Beattie sbeattie at ubuntu.com
Thu Aug 29 20:52:21 UTC 2019 

apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect.
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches
    - dropped the following patches included above:
      + d/p/CVE-2018-1302.patch
      + d/p/CVE-2018-1333.patch
      + d/p/CVE-2018-11763.patch
      + d/p/CVE-2018-17189.patch
      + d/p/CVE-2019-0196.patch

apache2 (2.4.29-1ubuntu4.8) bionic; urgency=medium

  * d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
    similarly to <0 with openssl 1.1.1
  * d/p/clear-retry-flags-before-abort.patch: clear retry flags before
    aborting on client-initiated reneg (LP: #1836329)

apache2 (2.4.29-1ubuntu4.7) bionic; urgency=medium

  * d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
    authentication when built with openssl 1.1.1 (LP: #1833039)

Date: 2019-08-26 14:35:34.308343+00:00
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.10
-------------- next part --------------
Sorry, changesfile not available.

More information about the Bionic-changes mailing list