Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554948 - <www-servers/apache-2.4.16: version bump with security fixes (CVE-2015-{0228, 0253, 3183, 3185})
Summary: <www-servers/apache-2.4.16: version bump with security fixes (CVE-2015-{0228,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: Gentoo Security
URL: http://www.apache.org/dist/httpd/Anno...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-15 11:13 UTC by Zoltán Halassy
Modified: 2016-10-06 17:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Zoltán Halassy 2015-07-15 11:13:28 UTC 
New apache version is available, which fixes CVE-2015-3183, CVE-2015-3185, CVE-2015-0253, CVE-2015-0228, gives better default recommended SSLCipherSuite and SSLProxyCipherSuite, contains Event MPM improvements, and added support for CGIPassAuth directive.

For complete list, read http://www.apachelounge.com/Changelog-2.4.html

Sources can be found here: http://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2

Reproducible: Always
Comment 1 Zoltán Halassy 2015-07-15 11:22:44 UTC 
Sorry, accidently linked changelog from apachelounge, ASF changelog can be seen here: http://www.apache.org/dist/httpd/CHANGES_2.4.16
Comment 2 Zoltán Halassy 2015-07-15 11:51:08 UTC 
The ebuild used for 2.4.12-r1 seem to work without problems for 2.4.16, without modifications.
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-07-16 06:08:58 UTC 
+*apache-tools-2.4.16 (16 Jul 2015)
+
+  16 Jul 2015; Lars Wendler <polynomial-c@gentoo.org>
+  apache-tools-2.4.12.ebuild, +apache-tools-2.4.16.ebuild:
+  Version bump (bug #554948). Slightly tweaked openssl dependency.
+


+*apache-2.4.16 (16 Jul 2015)
+
+  16 Jul 2015; Lars Wendler <polynomial-c@gentoo.org> +apache-2.4.16.ebuild:
+  Version bump (bug #554948).
+


No stabilization planned yet.
Comment 4 Pacho Ramos gentoo-dev 2016-02-08 19:13:20 UTC 
vulnerable versions are gone from the tree
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-07-18 02:47:59 UTC 
Added to existing GLSA.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-10-06 17:26:08 UTC 
This issue was resolved and addressed in
 GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02
by GLSA coordinator Kristian Fiskerstrand (K_F).