Univention Bugzilla – Bug 47510
apache2: Multiple issues (4.3)
Last modified: 2018-08-15 13:14:52 CEST
New Debian apache2 2.4.25-3+deb9u5A~4.3.1.201808081329 fixes: This update addresses the following issue(s): * CVE_2001-1534 is open CVE_2003-1307 is open CVE_2003-1580 is open CVE_2003-1581 is open CVE_2007-0086 is open CVE_2007-1743 is open CVE_2007-3303 is open CVE_2008-0455 is open CVE_2008-0456 is open * When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk. (CVE-2018-1302) CVE_2018-1333 is open 2.4.25-3+deb9u5 (Sat, 02 Jun 2018 10:01:13 +0200) * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This fixes - CVE-2018-1302: mod_http2: Potential crash w/ mod_http2 - Segfaults in mod_http2 - mod_http2 issue with option "Indexes" and directive "HeaderName" Unfortunately, this also removes support for http2 when running on mpm_prefork. * mod_http2: Avoid high memory usage with large files, causing crashes on 32bit archs. * Make the apache-htcacheclean init script actually look into /etc/default/apache-htcacheclean for its config. * CVE-2018-1302 httpd: Use-after-free on HTTP/2 stream shutdown (CVE-2018-1302)
--- mirror/ftp/4.3/unmaintained/4.3-1/source/apache2_2.4.25-3+deb9u4A~4.3.0.201804040703.dsc +++ apt/ucs_4.3-0-errata4.3-1/source/apache2_2.4.25-3+deb9u5A~4.3.1.201808081329.dsc @@ -1,9 +1,24 @@ -2.4.25-3+deb9u4A~4.3.0.201804040703 [Wed, 04 Apr 2018 17:11:22 +0200] Univention builddaemon <buildd@univention.de>: +2.4.25-3+deb9u5A~4.3.1.201808081329 [Wed, 08 Aug 2018 13:43:30 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 05-autostart-setting 10-apache2-reload 20-no-proxy + +2.4.25-3+deb9u5 [Sat, 02 Jun 2018 10:01:13 +0200] Stefan Fritsch <sf@debian.org>: + + * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This + fixes + - CVE-2018-1302: mod_http2: Potential crash w/ mod_http2 + - Segfaults in mod_http2 (Closes: #873945) + - mod_http2 issue with option "Indexes" and directive "HeaderName" + (Closes: #850947) + Unfortunately, this also removes support for http2 when running on + mpm_prefork. + * mod_http2: Avoid high memory usage with large files, causing crashes on + 32bit archs. Closes: #897218 + * Make the apache-htcacheclean init script actually look into + /etc/default/apache-htcacheclean for its config. Closes: #898563 2.4.25-3+deb9u4 [Sat, 31 Mar 2018 10:47:16 +0200] Stefan Fritsch <sf@debian.org>: <http://10.200.17.11/4.3-1/#8018937582357567868>
OK: patches OK: piuparts OK: yaml OK: errata-announce apache2.yaml [4.3-1] 7a2da28c7a Bug #47510: apache2 2.4.25-3+deb9u5A~4.3.1.201808081329 doc/errata/staging/apache2.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+)
<http://errata.software-univention.de/ucs/4.3/170.html>