SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for httpd24-manual-2.4.33-1.1.x86_64.rpm :
Sun May 27 14:00:00 2018 mkubecekAATTsuse.cz
- update to version 2.4.33

* mod_authnz_ldap: out of bound write with AuthLDAPCharsetConfig
enabled (CVE-2017-15710)

* mod_session: CGI-like applications that intend to read from
mod_session\'s \'SessionEnv ON\' could be fooled into reading
user-supplied data instead (CVE-2018-1283)

* mod_cache_socache: Fix request headers parsing to avoid a
possible crash with specially crafted input data
(CVE-2018-1303)

* core: Possible crash with excessively long HTTP request headers
(CVE-2018-1301)

* core: Configure the regular expression engine to match \'$\' to
the end of the input string only, excluding matching the end of
any embedded newline characters; behavior can be changed with
new directive \'RegexDefaultOptions\' (CVE-2017-15715)

* mod_auth_digest: Fix generation of nonce values to prevent
replay attacks across servers using a common Digest domain
(CVE-2018-1312)

* mod_http2: Potential crash w/ mod_http2 (CVE-2018-1302)

* many other fixes

Sat Nov 11 13:00:00 2017 mkubecekAATTsuse.cz
- update to version 2.4.29

* mod_mime can read one byte past the end of a buffer when
sending a malicious Content-Type response header
(CVE-2017-7679)

* bug in token list parsing, which allows ap_find_token() to
search past the end of its input string (CVE-2017-7668)

* a maliciously constructed HTTP/2 request could cause mod_http2
to dereference a NULL pointer and crash the server process
(CVE-2017-7659)

* mod_ssl may dereference a NULL pointer when third-party modules
call ap_hook_process_connection() during an HTTP request to an
HTTPS port (CVE-2017-3169)

* use of the ap_get_basic_auth_pw() by third-party modules
outside of the authentication phase may lead to authentication
requirements being bypassed (CVE-2017-3167)

* mod_http2: read after free; when under stress, closing many
connections, the HTTP/2 handling code would sometimes access
memory after it has been freed, resulting in potentially
erratic behaviour (CVE-2017-9789)

* mod_auth_digest: Uninitialized memory reflection. The value
placeholder in [Proxy-]Authorization headers type \'Digest\' was
not initialized or reset before or between successive key=value
assignments (CVE-2017-9788)

* corrupted or freed memory access. must now be
used in the main configuration file (httpd.conf) to register
HTTP methods before the .htaccess files (CVE-2017-9798)

* HTTP/2 support no longer tagged as \"experimental\" but is
instead considered fully production ready

* mod_http2: Disable and give warning when using Prefork; the
server will continue to run, but HTTP/2 will no longer be
negotiated

Tue Mar 14 13:00:00 2017 mkubecekAATTsuse.cz
- update to version 2.4.25

* mod_http2: mitigate DoS memory exhaustion via endless
CONTINUATION frames

* core: mitigate [f]cgi \"httpoxy\" issues (CVE-2016-5387)

* mod_auth_digest: prevent segfaults during client entry
allocation when the shared memory space is exhausted
(CVE-2016-2161)

* mod_session_crypto: authenticate the session data/cookie with a
MAC (SipHash) to prevent deciphering or tampering with a
padding oracle attack

* enforce HTTP request grammar corresponding to RFC7230 for
request lines and request headers, to prevent response
splitting and cache pollution by malicious clients or
downstream proxies (CVE-2016-8743)

* validate HTTP response header grammar defined by RFC7230,
resulting in a 500 error in the event that invalid response
header contents are detected when serving the response, to
avoid response splitting and cache pollution by malicious
clients, upstream servers or faulty modules

* core: new directive HttpProtocolOptions to control httpd
enforcement of various RFC7230 requirements

* mod_http2: new directive \'H2PushResource\' to enable early
pushes before processing of the main request starts

* mod_proxy_http2: adding support for newly proposed 103 status
code
- add explicit insserv prerequisities

Mon Sep 5 14:00:00 2016 mkubecekAATTsuse.cz
- update to version 2.4.23

* mod_ssl: Add \"no_crl_for_cert_ok\" flag to SSLCARevocationCheck
directive to opt-in previous behaviour (2.2) with CRLs
verification when checking certificate(s) with no corresponding
CRL.

* mod_ssl: reset client-verify state of ssl when aborting
renegotiations

* mod_httpd2: lot of fixes
- specfile cleanup

Fri Jul 1 14:00:00 2016 mikeAATTmk-sys.cz
- update to version 2.4.20

* mod_log_config: Add GlobalLog to allow a globally defined log
to be inherited by virtual hosts that define a CustomLog

* mod_httpd2: lot of fixes

Sat Dec 26 13:00:00 2015 mikeAATTmk-sys.cz
- update to version 2.4.18

* mod_http2: added donated HTTP/2 implementation via core module;
similar configuration options to mod_ssl

* mod_ssl: enable support for configuring the SUITEB
* cipher
strings introduced in OpenSSL 1.0.2

* MPMs: support SO_REUSEPORT to create multiple duplicated
listener records for scalability

Wed Sep 30 14:00:00 2015 mikeAATTmk-sys.cz
- update to version 2.4.16

* mod_proxy_fcgi: Fix a potential crash due to buffer over-read,
with response headers\' size above 8K (CVE-2014-3583)

* mod_cache: Avoid a crash when Content-Type has an empty value
(CVE-2014-3581)

* mod_lua: Fix handling of the Require line when a
LuaAuthzProvider is used in multiple Require directives with
different arguments (CVE-2014-8109)

* core: HTTP trailers could be used to replace HTTP headers late
during request processing, potentially undoing or otherwise
confusing modules that examined or modified request headers
earlier. Adds \"MergeTrailers\" directive to restore legacy
behavior. (CVE-2013-5704)

* mod_ssl: New directive SSLSessionTickets (On|Off)

* core: Fix a crash with ErrorDocument 400 pointing to a local
URL-path qith the INCLUDES filter active, introduced in 2.4.11
(CVE-2015-0253)

* mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash
(CVE-2015-0228)

* core: Fix chunk header parsing defect (CVE-2015-3183)

* Replacement of ap_some_auth_required (unusable in Apache httpd
2.4) with new ap_some_authn_required and ap_force_authn hook
(CVE-2015-3185)

Thu Sep 4 14:00:00 2014 mikeAATTmk-sys.cz
- update to version 2.4.10

* mod_proxy: Fix crash in Connection header handling which
allowed a denial of service attack against a reverse proxy
with a threaded MPM.
(CVE-2014-0117)

* Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow.
(CVE-2014-0226)

* mod_deflate: The DEFLATE input filter (inflates request bodies)
now limits the length and compression ratio of inflated request
bodies to avoid denial of sevice via highly compressed bodies.
(CVE-2014-0118)

* mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child
processes filling up the scoreboard and eventually hanging the
server.
(CVE-2014-0231)

Sun Mar 23 13:00:00 2014 mikeAATTmk-sys.cz
- update to version 2.4.9

* mod_session_dbd: Make sure that dirty flag is respected when
saving sessions, and ensure the session ID is changed each time
the session changes. This changes the format of the
updatesession SQL statement. Existing configurations must be
changed.
(CVE-2013-2249)

* mod_dav: Sending a MERGE request against a URI handled by
mod_dav_svn with the source href (sent as part of the request
body as XML) pointing to a URI that is not configured for DAV
will trigger a segfault.
(CVE-2013-1896)

* mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests
(CVE-2013-6438)

* Clean up cookie logging with fewer redundant string parsing
passes. Log only cookies with a value assignment. Prevents
segfaults when logging truncated cookies.
(CVE-2014-0098)

* APR 1.5.0 or later is now required for the event MPM.

Sat Jun 22 14:00:00 2013 mikeAATTmk-sys.cz
- add zlib-devel and openssl-devel to BuildRequires to fix build
in Factory

Mon Mar 18 13:00:00 2013 mikeAATTmk-sys.cz
- update to version 2.4.4

* various XSS flaws due to unescaped hostnames and URIs HTML
output in mod_info, mod_status, mod_imagemap, mod_ldap, and
mod_proxy_ftp
(CVE-2012-3499)

* a XSS flaw affected the mod_proxy_balancer manager interface
(CVE-2012-4558)

Fri Sep 14 14:00:00 2012 mikeAATTmk-sys.cz
- update to version 2.4.3

* mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
connection closing which could lead to privacy issues due
to a response mixup. PR 53727. (CVE-2012-3502)

* mod_negotiation: Escape filenames in variant list to prevent a
possible XSS for a site where untrusted users can upload files
to a location with MultiViews enabled. (CVE-2012-2687)
- httpd-2.4.3-layout.patch: refresh

Tue Apr 17 14:00:00 2012 mikeAATTmk-sys.cz
- update to version 2.4.2

* envvars: Fix insecure handling of LD_LIBRARY_PATH that could
lead to the current working directory to be searched for DSOs

* Various bugfixes

Sun Mar 18 13:00:00 2012 mikeAATTmk-sys.cz
- build as PIE to silence rpmlint/brp

Mon Feb 27 13:00:00 2012 mikeAATTmk-sys.cz
- initial 2.4 package forked from 2.2 sources


  
ICM