New apache version is available, which fixes CVE-2015-3183, CVE-2015-3185, CVE-2015-0253, CVE-2015-0228, gives better default recommended SSLCipherSuite and SSLProxyCipherSuite, contains Event MPM improvements, and added support for CGIPassAuth directive. For complete list, read http://www.apachelounge.com/Changelog-2.4.html Sources can be found here: http://archive.apache.org/dist/httpd/httpd-2.4.16.tar.bz2 Reproducible: Always
Sorry, accidently linked changelog from apachelounge, ASF changelog can be seen here: http://www.apache.org/dist/httpd/CHANGES_2.4.16
The ebuild used for 2.4.12-r1 seem to work without problems for 2.4.16, without modifications.
+*apache-tools-2.4.16 (16 Jul 2015) + + 16 Jul 2015; Lars Wendler <polynomial-c@gentoo.org> + apache-tools-2.4.12.ebuild, +apache-tools-2.4.16.ebuild: + Version bump (bug #554948). Slightly tweaked openssl dependency. + +*apache-2.4.16 (16 Jul 2015) + + 16 Jul 2015; Lars Wendler <polynomial-c@gentoo.org> +apache-2.4.16.ebuild: + Version bump (bug #554948). + No stabilization planned yet.
vulnerable versions are gone from the tree
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02 by GLSA coordinator Kristian Fiskerstrand (K_F).