[ubuntu/disco-updates] apache2 2.4.38-2ubuntu2.2 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Thu Aug 29 21:28:23 UTC 2019 

apache2 (2.4.38-2ubuntu2.2) disco-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0001-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: mod_remoteip: Stack buffer overflow and NULL
    pointer dereference.
    - d/p/CVE-2019-10097.patch: add better sanity checks.
    - CVE-2019-10097
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches

Date: 2019-08-26 14:35:38.614174+00:00
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/apache2/2.4.38-2ubuntu2.2
-------------- next part --------------
Sorry, changesfile not available.

More information about the Disco-changes mailing list