Univention Bugzilla – Full Text Bug Listing |
Summary: | apache2: Multiple issues (4.3) | ||
---|---|---|---|
Product: | UCS | Reporter: | Quality Assurance <qa> |
Component: | Security updates | Assignee: | Quality Assurance <qa> |
Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
Severity: | normal | ||
Priority: | P3 | ||
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-3-errata | ||
Hardware: | All | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | 8.2 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) |
Description
Quality Assurance
2019-04-05 11:31:37 CEST
--- mirror/ftp/4.3/unmaintained/4.3-3/source/apache2_2.4.25-3+deb9u6A~4.3.2.201811190845.dsc +++ apt/ucs_4.3-0-errata4.3-3/source/apache2_2.4.25-3+deb9u7A~4.3.3.201904051131.dsc @@ -1,9 +1,30 @@ -2.4.25-3+deb9u6A~4.3.2.201811190845 [Mon, 19 Nov 2018 09:00:01 +0100] Univention builddaemon <buildd@univention.de>: +2.4.25-3+deb9u7A~4.3.3.201904051131 [Fri, 05 Apr 2019 11:31:48 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 05-autostart-setting 10-apache2-reload 20-no-proxy + +2.4.25-3+deb9u7 [Tue, 02 Apr 2019 21:05:13 +0200] Stefan Fritsch <sf@debian.org>: + + [ Xavier Guimard ] + * CVE-2018-17199: mode_session: Fix missing check for session expiry time. + Closes: #920303 + + [ Stefan Fritsch ] + * mod_http2: Fix keepalive timeout behavior. This fixes a regression with + Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103 + * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. + Closes: #904150 + * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies. + Closes: #920302 + * CVE-2019-0196: mod_http2: Fix read after free + * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root. + * CVE-2019-0217: mod_auth_digest: Access control bypass + * CVE-2019-0220: URL normalization inconsistincy. + Consecutive slashes in URL's are now merged before use in LocationMatch + and RewriteRule. The old behavior can be restored with the new directive + "MergeSlashes off". 2.4.25-3+deb9u6 [Sat, 03 Nov 2018 19:46:19 +0100] Stefan Fritsch <sf@debian.org>: <http://10.200.17.11/4.3-3/#8523892427045836363> OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-3] dc3dc2e5dd Bug #49236: apache2 2.4.25-3+deb9u7A~4.3.3.201904051131 doc/errata/staging/apache2.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.3-3] 0bf5011c81 Bug #49236: apache2 2.4.25-3+deb9u7A~4.3.3.201904051131 doc/errata/staging/apache2.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) |