Apache 2.4.38 has been released: https://www.apache.org/dist/httpd/Announcement2.4.html https://www.apache.org/dist/httpd/CHANGES_2.4.38
This fixes multiple security bugs, seems the advisories aren't yet on the apache page, but on oss-security: https://www.openwall.com/lists/oss-security/2019/01/22/2 https://www.openwall.com/lists/oss-security/2019/01/22/3 https://www.openwall.com/lists/oss-security/2019/01/22/4
Deployed on a few machines and so far so good (simple copy from 2.4.37).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83d835b33bf278c1f6bdcd8dfb22d9772a5ad4a1 commit 83d835b33bf278c1f6bdcd8dfb22d9772a5ad4a1 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-01-23 11:54:42 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-01-23 12:05:32 +0000 www-servers/apache: Security bump to version 2.4.38 Bug: https://bugs.gentoo.org/676064 Package-Manager: Portage-2.3.58, Repoman-2.3.12 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> www-servers/apache/Manifest | 1 + www-servers/apache/apache-2.4.38.ebuild | 257 ++++++++++++++++++++++++++++++++ 2 files changed, 258 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfbfdecee0d3bf160779211d2d7fed5a0ade8787 commit dfbfdecee0d3bf160779211d2d7fed5a0ade8787 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-01-23 11:53:52 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-01-23 12:05:32 +0000 app-admin/apache-tools: Security bump to version 2.4.38 Bug: https://bugs.gentoo.org/676064 Package-Manager: Portage-2.3.58, Repoman-2.3.12 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-admin/apache-tools/Manifest | 1 + app-admin/apache-tools/apache-tools-2.4.38.ebuild | 105 ++++++++++++++++++++++ 2 files changed, 106 insertions(+)
*** Bug 677000 has been marked as a duplicate of this bug. ***
So, err, should we perhaps stabilize this thing? I'm surprised that this has been sitting here this long, with one vulnerability classified as Important.
(In reply to Dirkjan Ochtman from comment #5) > So, err, should we perhaps stabilize this thing? I'm surprised that this has > been sitting here this long, with one vulnerability classified as Important. Definitely. Sorry I lost track of this one.
amd64 stable
arm stable
sparc stable
CVE Information: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Versions Affected: httpd 2.4.17 to 2.4.37 Description: By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections in Apache HTTP Server versions 2.4.37 and prior. -- CVE-2018-17199: mod_session_cookie does not respect expiry time Versions Affected: httpd 2.4.0 to 2.4.37 Description: In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. -- CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 Versions Affected: httpd 2.4.37 Description: A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.
GLSA Vote: Yes New GLSA Request filed.
ia64 stable
ppc stable
ppc64 stable
hppa stable
x86 stable
This issue was resolved and addressed in GLSA 201903-21 at https://security.gentoo.org/glsa/201903-21 by GLSA coordinator Aaron Bauman (b-man).
re-opened for final arches and cleanup
alpha stable
