This sounds really bad: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211 "In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard." Here's a warning from an Apache dev: https://twitter.com/iamamoose/status/1112966189276389376 Also various other security fixes. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ba34aa34c25d07f495ae56fc56a2bbaab5d4dd6 commit 9ba34aa34c25d07f495ae56fc56a2bbaab5d4dd6 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-04-02 08:50:44 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-04-02 08:54:13 +0000 www-servers/apache: Security bump to version 2.4.39 Attempt to make apache2ctl systemd compatible Bug: https://bugs.gentoo.org/673530 Bug: https://bugs.gentoo.org/682306 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> www-servers/apache/Manifest | 2 + www-servers/apache/apache-2.4.39.ebuild | 257 ++++++++++++++++++++++++++++++++ 2 files changed, 259 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b8813408caa94488b83fcbcce09e4d156c95285 commit 5b8813408caa94488b83fcbcce09e4d156c95285 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-04-02 08:49:10 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-04-02 08:54:12 +0000 app-admin/apache-tools: Security bump to version 2.4.39 Bug: https://bugs.gentoo.org/682306 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-admin/apache-tools/Manifest | 1 + app-admin/apache-tools/apache-tools-2.4.39.ebuild | 105 ++++++++++++++++++++++ 2 files changed, 106 insertions(+)
amd64 stable
(In reply to Mikle Kolyada from comment #2) > amd64 stable ... Resolving dev.gentoo.org... failed: Temporary failure in name resolution. wget: unable to resolve host address ‘dev.gentoo.org’ !!! Couldn't download 'gentoo-apache-2.4.39-20190402.tar.bz2'. Aborting. ...
(In reply to Manfred Knick from comment #3) > ... Resolving dev.gentoo.org... failed: ... After sync this morning: WORKSFORME Thanks.
hppa stable
arm stable
ia64 stable
ppc64 stable
x86 stable
ppc stable
sparc stable
alpha stable
@maintainer(s), please drop vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4fa77e074b321d4bf55c3eab587daed8227cac6 commit a4fa77e074b321d4bf55c3eab587daed8227cac6 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-04-21 02:13:51 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-04-21 02:13:51 +0000 www-servers/apache: Security cleanup Bug: https://bugs.gentoo.org/682306 Package-Manager: Portage-2.3.64, Repoman-2.3.12 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> www-servers/apache/Manifest | 4 - www-servers/apache/apache-2.4.34-r2.ebuild | 262 --------------------- www-servers/apache/apache-2.4.38-r1.ebuild | 257 -------------------- .../apache/files/apache-2.4.34-PR62557.patch | 216 ----------------- .../apache-2.4.34-suexec_parallel_install.patch | 19 -- 5 files changed, 758 deletions(-)
This issue was resolved and addressed in GLSA 201904-20 at https://security.gentoo.org/glsa/201904-20 by GLSA coordinator Aaron Bauman (b-man).
