Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 554948

Summary: <www-servers/apache-2.4.16: version bump with security fixes (CVE-2015-{0228, 0253, 3183, 3185})
Product: Gentoo Security Reporter: Zoltán Halassy <zhalassy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement CC: pacho, polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.apache.org/dist/httpd/Announcement2.4.html
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---

Description Zoltán Halassy 2015-07-15 11:13:28 UTC 
New apache version is available, which fixes CVE-2015-3183, CVE-2015-3185, CVE-2015-0253, CVE-2015-0228, gives better default recommended SSLCipherSuite and SSLProxyCipherSuite, contains Event MPM improvements, and added support for CGIPassAuth directive.

For complete list, read http://www.apachelounge.com/Changelog-2.4.html

Sources can be found here: http://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2

Reproducible: Always
Comment 1 Zoltán Halassy 2015-07-15 11:22:44 UTC 
Sorry, accidently linked changelog from apachelounge, ASF changelog can be seen here: http://www.apache.org/dist/httpd/CHANGES_2.4.16
Comment 2 Zoltán Halassy 2015-07-15 11:51:08 UTC 
The ebuild used for 2.4.12-r1 seem to work without problems for 2.4.16, without modifications.
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-07-16 06:08:58 UTC 
+*apache-tools-2.4.16 (16 Jul 2015)
+
+  16 Jul 2015; Lars Wendler <polynomial-c@gentoo.org>
+  apache-tools-2.4.12.ebuild, +apache-tools-2.4.16.ebuild:
+  Version bump (bug #554948). Slightly tweaked openssl dependency.
+


+*apache-2.4.16 (16 Jul 2015)
+
+  16 Jul 2015; Lars Wendler <polynomial-c@gentoo.org> +apache-2.4.16.ebuild:
+  Version bump (bug #554948).
+


No stabilization planned yet.
Comment 4 Pacho Ramos gentoo-dev 2016-02-08 19:13:20 UTC 
vulnerable versions are gone from the tree
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-07-18 02:47:59 UTC 
Added to existing GLSA.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-10-06 17:26:08 UTC 
This issue was resolved and addressed in
 GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02
by GLSA coordinator Kristian Fiskerstrand (K_F).