search

AOSC-Dev / aosc-os-abbs

ABBS/ACBS tree for AOSC OS package metadata, build configuration, scripts, and patches
https://packages.aosc.io
GNU General Public License v2.0
102 stars 80 forks source link

httpd: security update to ^2.4.30 #1093

Closed l2dy closed 6 years ago

l2dy commented 6 years ago

https://www.apache.org/dist/httpd/CHANGES_2.4

Changes with Apache 2.4.30

  *) SECURITY: CVE-2017-15710 (cve.mitre.org)
     Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
     [Eric Covener, Luca Toscano, Yann Ylavic]

  *) CVE-2018-1283 (cve.mitre.org)
     mod_session: CGI-like applications that intend to read from mod_session's 
     'SessionEnv ON' could be fooled into reading user-supplied data instead.
     [Yann Ylavic]

  *) SECURITY: CVE-2018-1303 (cve.mitre.org)
     mod_cache_socache: Fix request headers parsing to avoid a possible crash
     with specially crafted input data.  [Ruediger Pluem]

  *) CVE-2018-1301 (cve.mitre.org)
     core: Possible crash with excessively long HTTP request headers. 
     Impractical to exploit with a production build and production LogLevel.
     [Yann Ylavic]

  *) mod_authnz_ldap: Fix language long names detection as short name.
     [Yann Ylavic]

  *) mod_proxy: Worker schemes and hostnames which are too large are no
     longer fatal errors; it is logged and the truncated values are stored.
     [Jim Jagielski]

  *) CVE-2017-15715 (cve.mitre.org)
     core: Configure the regular expression engine to match '$' to the end of
     the input string only, excluding matching the end of any embedded 
     newline characters. Behavior can be changed with new directive 
     'RegexDefaultOptions'. [Yann Ylavic]

  *) SECURITY: CVE-2018-1312 (cve.mitre.org)
     mod_auth_digest: Fix generation of nonce values to prevent replay
     attacks across servers using a common Digest domain. This change
     may cause problems if used with round robin load balancers. PR 54637
     [Stefan Fritsch]

  *) mod_proxy: Allow setting options to globally defined balancer from
     ProxyPass used in VirtualHost. Balancers are now merged using the new
     merge_balancers method which merges the balancers options.  [Jan Kaluza]

  *) logresolve: Fix incorrect behavior or segfault if -c flag is used
     Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
     [Stefan Fritsch]

  *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
     Add ability for PROXY protocol processing to be optional to donated code.
     See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
     [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]

  *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
     allowing per backend TLS configuration.  [Yann Ylavic]

  *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris,
     Jim Jagielski]

  *) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
     depend on the number of restarts (non-Unix systems) and preserve shared
  *) CVE-2018-1302 (cve.mitre.org)
     mod_http2: Potential crash w/ mod_http2.
     [Stefan Eissing]

     names as much as possible on configuration changes for SHMs and persisted
     files.  PR 62044.  [Yann Ylavic, Jim Jagielski]
[...]
MingcongBai commented 6 years ago

Fixed with https://github.com/AOSC-Dev/aosc-os-abbs/commit/7ce60b530ccef9042598f787498349085705a1f4. Closing.

l2dy commented 6 years ago

Use AOSA-2018-0137.