[ubuntu/disco-proposed] apache2 2.4.38-2ubuntu2 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Thu Apr 4 00:13:15 UTC 2019 

apache2 (2.4.38-2ubuntu2) disco; urgency=medium

  * SECURITY UPDATE: read-after-free on a string compare in mod_http2
    - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
      request method in modules/http2/h2_request.c.
    - CVE-2019-0196
  * SECURITY UPDATE: privilege escalation from modules' scripts
    - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
      child to its slot number in include/scoreboard.h,
      server/mpm/event/event.c, server/mpm/prefork/prefork.c,
      server/mpm/worker/worker.c.
    - CVE-2019-0211
  * SECURITY UPDATE: mod_ssl access control bypass
    - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
      PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
    - CVE-2019-0215
  * SECURITY UPDATE: mod_auth_digest access control bypass
    - debian/patches/CVE-2019-0217.patch: fix a race condition in
      modules/aaa/mod_auth_digest.c.
    - CVE-2019-0217
  * SECURITY UPDATE: URL normalization inconsistincy
    - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
      the path in include/http_core.h, include/httpd.h, server/core.c,
      server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
      in server/request.c, server/util.c.
    - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
      server/util.c.
    - CVE-2019-0220

Date: Wed, 03 Apr 2019 14:31:46 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.38-2ubuntu2
-------------- next part --------------
Format: 1.8
Date: Wed, 03 Apr 2019 14:31:46 -0400
Source: apache2
Architecture: source
Version: 2.4.38-2ubuntu2
Distribution: disco
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 apache2 (2.4.38-2ubuntu2) disco; urgency=medium
 .
   * SECURITY UPDATE: read-after-free on a string compare in mod_http2
     - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
       request method in modules/http2/h2_request.c.
     - CVE-2019-0196
   * SECURITY UPDATE: privilege escalation from modules' scripts
     - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
       child to its slot number in include/scoreboard.h,
       server/mpm/event/event.c, server/mpm/prefork/prefork.c,
       server/mpm/worker/worker.c.
     - CVE-2019-0211
   * SECURITY UPDATE: mod_ssl access control bypass
     - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
       PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
     - CVE-2019-0215
   * SECURITY UPDATE: mod_auth_digest access control bypass
     - debian/patches/CVE-2019-0217.patch: fix a race condition in
       modules/aaa/mod_auth_digest.c.
     - CVE-2019-0217
   * SECURITY UPDATE: URL normalization inconsistincy
     - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
       the path in include/http_core.h, include/httpd.h, server/core.c,
       server/request.c, server/util.c.
     - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
       in server/request.c, server/util.c.
     - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
       server/util.c.
     - CVE-2019-0220
Checksums-Sha1:
 9097adbc9f35db625fee0a2bdd40ed4771bd2e5f 3354 apache2_2.4.38-2ubuntu2.dsc
 91f39605ad858ff029f8e9021fd6031eda033a42 1034668 apache2_2.4.38-2ubuntu2.debian.tar.xz
 26329f75c04fe140172cf64727a85e0a8b9dd649 8114 apache2_2.4.38-2ubuntu2_source.buildinfo
Checksums-Sha256:
 ad704ae78953047f5b3b2dfbbf5fd38aafd5672525490f8b82b8650ff0c00a65 3354 apache2_2.4.38-2ubuntu2.dsc
 be7968a473540db1ebf3ee16b928d88992437db7eebe6075ce7e5443cc19b042 1034668 apache2_2.4.38-2ubuntu2.debian.tar.xz
 7de6be2f4370c39cad5de333d3d8ce5874d91debdcaba7a3a7825d042f56d7d6 8114 apache2_2.4.38-2ubuntu2_source.buildinfo
Files:
 af82bdc23082a166df352a8631c3eefc 3354 httpd optional apache2_2.4.38-2ubuntu2.dsc
 b737b4852471aebb53b3bdab91d2286f 1034668 httpd optional apache2_2.4.38-2ubuntu2.debian.tar.xz
 53ae8735bd0aabd725fddaa360c6db44 8114 httpd optional apache2_2.4.38-2ubuntu2_source.buildinfo
Original-Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>

More information about the Disco-changes mailing list