[ubuntu/eoan-proposed] apache2 2.4.38-3ubuntu1 (Accepted)
Dimitri John Ledkov
xnox at ubuntu.com
Mon Jun 10 21:22:15 UTC 2019
apache2 (2.4.38-3ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- Cherrypick upstream testsuite fix:
+ r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
as such).
- Similarly use TLSv1.2 for pr12355 and pr43738.
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
[Removed configure chunk, not needed since configure.in is being
patched.]
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
apache2 (2.4.38-3) unstable; urgency=high
[ Marc Deslauriers ]
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_ssl access control bypass
- debian/patches/CVE-2019-0215.patch: restore SSL verify state after
PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
- CVE-2019-0215
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
[ Stefan Fritsch ]
* Pull security fixes from 2.4.39 via Ubuntu
* CVE-2019-0197: mod_http2: Fix possible crash on late upgrade
Date: Mon, 10 Jun 2019 19:17:38 +0100
Changed-By: Dimitri John Ledkov <xnox at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apache2/2.4.38-3ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 10 Jun 2019 19:17:38 +0100
Source: apache2
Architecture: source
Version: 2.4.38-3ubuntu1
Distribution: eoan
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Dimitri John Ledkov <xnox at ubuntu.com>
Changes:
apache2 (2.4.38-3ubuntu1) eoan; urgency=low
.
* Merge from Debian unstable. Remaining changes:
- Cherrypick upstream testsuite fix:
+ r1850941 Skip tests for TLSv1.3 (where there is no "renegotiation"
as such).
- Similarly use TLSv1.2 for pr12355 and pr43738.
- debian/{control, apache2.install, apache2-utils.ufw.profile,
apache2.dirs}: Add ufw profiles.
- debian/apache2.py, debian/apache2-bin.install: Add apport hook.
- debian/patches/086_svn_cross_compiles: Backport several cross
fixes from upstream
[Removed configure chunk, not needed since configure.in is being
patched.]
- d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
Debian with Ubuntu on default page.
+ d/source/include-binaries: add Ubuntu icon file
- d/t/control, d/t/check-http2: add basic test for http2 support
.
apache2 (2.4.38-3) unstable; urgency=high
.
[ Marc Deslauriers ]
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_ssl access control bypass
- debian/patches/CVE-2019-0215.patch: restore SSL verify state after
PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
- CVE-2019-0215
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
.
[ Stefan Fritsch ]
* Pull security fixes from 2.4.39 via Ubuntu
* CVE-2019-0197: mod_http2: Fix possible crash on late upgrade
Checksums-Sha1:
f7f92d84368c29b05c7db6717b23cfcc40d752f7 3626 apache2_2.4.38-3ubuntu1.dsc
6ee19a7b936a6ddbbf81b313c4a8b38bf232b40e 9187294 apache2_2.4.38.orig.tar.gz
bb42f56e0716ca824776a6452b98b4a49956f711 488 apache2_2.4.38.orig.tar.gz.asc
810bd40f244cd5df5651c5b693427a11c734fff0 1037144 apache2_2.4.38-3ubuntu1.debian.tar.xz
cfef39e399b64c74b17b1e9cd9a789366aa24540 8987 apache2_2.4.38-3ubuntu1_source.buildinfo
Checksums-Sha256:
fa0ea1d5eca04b5a9f98d3aa4d2e3216dded73fcf0279c21579a7b962cca522d 3626 apache2_2.4.38-3ubuntu1.dsc
38d0b73aa313c28065bf58faf64cec12bf7c7d5196146107df2ad07541aa26a6 9187294 apache2_2.4.38.orig.tar.gz
4931fdd5833dc79592edd351047b9f153e3bac4323157e3f5d733d276d2a4997 488 apache2_2.4.38.orig.tar.gz.asc
0798e9f56f670f972783b1a2d9545f48e2739733113d4d68681c6d68fca273ed 1037144 apache2_2.4.38-3ubuntu1.debian.tar.xz
d0471283d87574639ce473a1aafb27c3b3ced937c00261eacd5a4c355865add5 8987 apache2_2.4.38-3ubuntu1_source.buildinfo
Files:
32ab8c9006a8d8d931577c1a5e28ebee 3626 httpd optional apache2_2.4.38-3ubuntu1.dsc
626083caac6d85a048abac6d5ea61e5b 9187294 httpd optional apache2_2.4.38.orig.tar.gz
6933fc9cc71319ec87333b7e44b319ec 488 httpd optional apache2_2.4.38.orig.tar.gz.asc
d02206b166d138341f9529f2acb1ce73 1037144 httpd optional apache2_2.4.38-3ubuntu1.debian.tar.xz
4718bed0e5119e943b2b9817ae208742 8987 httpd optional apache2_2.4.38-3ubuntu1_source.buildinfo
Original-Maintainer: Debian Apache Maintainers <debian-apache at lists.debian.org>
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEE4cdIyvfCPLE8LKqG6OhJCPkDr7UFAlz+ycgQHHhub3hAdWJ1
bnR1LmNvbQAKCRDo6EkI+QOvteEyD/4zEPGqNyLLT4StERyHU3SkKuQZfmE3jBt3
W2fOxIMbVjFMOZy24A6T53WSMU+Byx8TA9hQPXSj662YRGmXi81vj88HiERqGu8x
fR84UnMj0a9Vn1lmmN+ggmSOnUkIVzx0xMhxEqLgKrWQ89uOc1wY4ToH/slZPNIS
RQJdf3HXVxgNzKCE6NPuinyc6T6cxAty4DI0OhMXzyrlWZzQbc2ux1NUEbCBBaMh
RoScQXIh5NFLTLYrmX4WZfA+NJBbyYeB/xSxer4YEHTmGnsOoejPsdUJyeUyso5Z
tjjO1e2wpp9r+usv9NjCzsy9ZKXoAAFRUIMiIroO6DXIUI0aluNIx8WtY2ID6dmm
b6Anywu+xv4NM7K7QS6MEQktYa798gxie/5qiqk5lyOu58EHNVM8OdcikoVReoqV
p1fAF0utTCPWfrPAJQ10m5AKOQiazbwEGyg1LljXjqodDq+W1knnY9C3N7OSm1um
9wau6jOzn+Cemkx4y9D4YQQsoaKgBL9hQkbFfKg5ARZKr100sHOfwiJkU72vnoal
kvbJIIEyb17SwHY2ls5vxaF6MQTEpE9NsrvxZmcFn13OWBRno7sPFi9jfnrKoLxg
jw9fZ4mF2xxjGEaBnUFLmrFFx8uvaCvSczFAR4DOfAXWoqqRlx64DaQ+oocj2Vpo
cYaqIQM36Q==
=/LHC
-----END PGP SIGNATURE-----
More information about the Eoan-changes
mailing list