SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for httpd24-manual-2.4.33-lp150.1.1.x86_64.rpm :

* Sun May 27 2018 mkubecekAATTsuse.cz- update to version 2.4.33
* mod_authnz_ldap: out of bound write with AuthLDAPCharsetConfig enabled (CVE-2017-15710)
* mod_session: CGI-like applications that intend to read from mod_session\'s \'SessionEnv ON\' could be fooled into reading user-supplied data instead (CVE-2018-1283)
* mod_cache_socache: Fix request headers parsing to avoid a possible crash with specially crafted input data (CVE-2018-1303)
* core: Possible crash with excessively long HTTP request headers (CVE-2018-1301)
* core: Configure the regular expression engine to match \'$\' to the end of the input string only, excluding matching the end of any embedded newline characters; behavior can be changed with new directive \'RegexDefaultOptions\' (CVE-2017-15715)
* mod_auth_digest: Fix generation of nonce values to prevent replay attacks across servers using a common Digest domain (CVE-2018-1312)
* mod_http2: Potential crash w/ mod_http2 (CVE-2018-1302)
* many other fixes
* Sat Nov 11 2017 mkubecekAATTsuse.cz- update to version 2.4.29
* mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header (CVE-2017-7679)
* bug in token list parsing, which allows ap_find_token() to search past the end of its input string (CVE-2017-7668)
* a maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process (CVE-2017-7659)
* mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port (CVE-2017-3169)
* use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed (CVE-2017-3167)
* mod_http2: read after free; when under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour (CVE-2017-9789)
* mod_auth_digest: Uninitialized memory reflection. The value placeholder in [Proxy-]Authorization headers type \'Digest\' was not initialized or reset before or between successive key=value assignments (CVE-2017-9788)
* corrupted or freed memory access. must now be used in the main configuration file (httpd.conf) to register HTTP methods before the .htaccess files (CVE-2017-9798)
* HTTP/2 support no longer tagged as \"experimental\" but is instead considered fully production ready
* mod_http2: Disable and give warning when using Prefork; the server will continue to run, but HTTP/2 will no longer be negotiated
* Tue Mar 14 2017 mkubecekAATTsuse.cz- update to version 2.4.25
* mod_http2: mitigate DoS memory exhaustion via endless CONTINUATION frames
* core: mitigate [f]cgi \"httpoxy\" issues (CVE-2016-5387)
* mod_auth_digest: prevent segfaults during client entry allocation when the shared memory space is exhausted (CVE-2016-2161)
* mod_session_crypto: authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack
* enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies (CVE-2016-8743)
* validate HTTP response header grammar defined by RFC7230, resulting in a 500 error in the event that invalid response header contents are detected when serving the response, to avoid response splitting and cache pollution by malicious clients, upstream servers or faulty modules
* core: new directive HttpProtocolOptions to control httpd enforcement of various RFC7230 requirements
* mod_http2: new directive \'H2PushResource\' to enable early pushes before processing of the main request starts
* mod_proxy_http2: adding support for newly proposed 103 status code- add explicit insserv prerequisities
* Mon Sep 05 2016 mkubecekAATTsuse.cz- update to version 2.4.23
* mod_ssl: Add \"no_crl_for_cert_ok\" flag to SSLCARevocationCheck directive to opt-in previous behaviour (2.2) with CRLs verification when checking certificate(s) with no corresponding CRL.
* mod_ssl: reset client-verify state of ssl when aborting renegotiations
* mod_httpd2: lot of fixes- specfile cleanup
* Fri Jul 01 2016 mikeAATTmk-sys.cz- update to version 2.4.20
* mod_log_config: Add GlobalLog to allow a globally defined log to be inherited by virtual hosts that define a CustomLog
* mod_httpd2: lot of fixes
* Sat Dec 26 2015 mikeAATTmk-sys.cz- update to version 2.4.18
* mod_http2: added donated HTTP/2 implementation via core module; similar configuration options to mod_ssl
* mod_ssl: enable support for configuring the SUITEB
* cipher strings introduced in OpenSSL 1.0.2
* MPMs: support SO_REUSEPORT to create multiple duplicated listener records for scalability
* Wed Sep 30 2015 mikeAATTmk-sys.cz- update to version 2.4.16
* mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with response headers\' size above 8K (CVE-2014-3583)
* mod_cache: Avoid a crash when Content-Type has an empty value (CVE-2014-3581)
* mod_lua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments (CVE-2014-8109)
* core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds \"MergeTrailers\" directive to restore legacy behavior. (CVE-2013-5704)
* mod_ssl: New directive SSLSessionTickets (On|Off)
* core: Fix a crash with ErrorDocument 400 pointing to a local URL-path qith the INCLUDES filter active, introduced in 2.4.11 (CVE-2015-0253)
* mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash (CVE-2015-0228)
* core: Fix chunk header parsing defect (CVE-2015-3183)
* Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook (CVE-2015-3185)
* Thu Sep 04 2014 mikeAATTmk-sys.cz- update to version 2.4.10
* mod_proxy: Fix crash in Connection header handling which allowed a denial of service attack against a reverse proxy with a threaded MPM. (CVE-2014-0117)
* Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. (CVE-2014-0226)
* mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of sevice via highly compressed bodies. (CVE-2014-0118)
* mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. (CVE-2014-0231)
* Sun Mar 23 2014 mikeAATTmk-sys.cz- update to version 2.4.9
* mod_session_dbd: Make sure that dirty flag is respected when saving sessions, and ensure the session ID is changed each time the session changes. This changes the format of the updatesession SQL statement. Existing configurations must be changed. (CVE-2013-2249)
* mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. (CVE-2013-1896)
* mod_dav: Keep track of length of cdata properly when removing leading spaces. Eliminates a potential denial of service from specifically crafted DAV WRITE requests (CVE-2013-6438)
* Clean up cookie logging with fewer redundant string parsing passes. Log only cookies with a value assignment. Prevents segfaults when logging truncated cookies. (CVE-2014-0098)
* APR 1.5.0 or later is now required for the event MPM.
* Sat Jun 22 2013 mikeAATTmk-sys.cz- add zlib-devel and openssl-devel to BuildRequires to fix build in Factory
* Mon Mar 18 2013 mikeAATTmk-sys.cz- update to version 2.4.4
* various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp (CVE-2012-3499)
* a XSS flaw affected the mod_proxy_balancer manager interface (CVE-2012-4558)
* Fri Sep 14 2012 mikeAATTmk-sys.cz- update to version 2.4.3
* mod_proxy_ajp, mod_proxy_http: Fix an issue in back end connection closing which could lead to privacy issues due to a response mixup. PR 53727. (CVE-2012-3502)
* mod_negotiation: Escape filenames in variant list to prevent a possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. (CVE-2012-2687)- httpd-2.4.3-layout.patch: refresh
* Tue Apr 17 2012 mikeAATTmk-sys.cz- update to version 2.4.2
* envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs
* Various bugfixes
* Sun Mar 18 2012 mikeAATTmk-sys.cz- build as PIE to silence rpmlint/brp
* Mon Feb 27 2012 mikeAATTmk-sys.cz- initial 2.4 package forked from 2.2 sources
 
ICM