-
95f1ad7...
by
Marc Deslauriers
on 2020-03-13
-
Import patches-unapplied version 2.4.29-1ubuntu4.13 to ubuntu/bionic-security
Imported using git-ubuntu import.
Changelog parent: 39aa84ddc5f826ca090b8f0b6c5180b7dc0d03a7
New changelog entries:
* Add additional missing commits to TLSv1.3 support. (LP: #1867223)
- debian/patches/tlsv1.3-support-2.patch: fix whitespace and copy/paste
typos in modules/ssl/ssl_engine_kernel.c.
- debian/patches/tlsv1.3-support-3.patch: fail with 403 if
SSL_verify_client_post_handshake fails in
modules/ssl/ssl_engine_kernel.c.
- debian/patches/tlsv1.3-support-4.patch: disable AUTO_RETRY mode for
OpenSSL 1.1.1, which fixes post-handshake authentication in
modules/ssl/ssl_engine_init.c.
- debian/patches/tlsv1.3-support-5.patch: retrieve and set
sslconn->client_cert here for both "modern" and classic access
control in modules/ssl/ssl_engine_kernel.c.
-
39aa84d...
by
Marc Deslauriers
on 2019-12-03
-
Import patches-unapplied version 2.4.29-1ubuntu4.12 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: 2ad0745ef3eb129d595f582986f2cd5f34ea2534
New changelog entries:
* Add TLSv1.3 support. (LP: #1845263)
- debian/patches/tlsv1.3-support.patch: backport upstream 2.4 commit
which introduced TLSv1.3 support.
-
2ad0745...
by
Steve Beattie
on 2019-09-16
-
Import patches-unapplied version 2.4.29-1ubuntu4.11 to ubuntu/bionic-security
Imported using git-ubuntu import.
Changelog parent: e7a4a4340e4c6bae39d8f974aab81fdc05518e62
New changelog entries:
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some configurations (LP: #1842701)
- drop d/p/CVE-2019-10092-3.patch
-
e7a4a43...
by
Steve Beattie
on 2019-08-26
-
Import patches-unapplied version 2.4.29-1ubuntu4.10 to ubuntu/bionic-security
Imported using git-ubuntu import.
Changelog parent: e651ec676e2a594b8ad5d8b9322ba128919f00e5
New changelog entries:
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
- d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
http/2 module keepalive throttling.
- CVE-2019-9517
* SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
denial of service (LP: #1840188)
- d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
re-use slave connections and fix slave connection keepalives
counter.
- CVE-2019-0197
* SECURITY UPDATE: mod_http2 memory corruption on early pushes
- included in mod_http2 1.15.4 backport
- CVE-2019-10081
* SECURITY UPDATE: read-after-free in mod_http2 h2 connection
shutdown.
- included in mod_http2 1.15.4 backport
- CVE-2019-10082
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-2019-10092-1.patch: Remove request details from built-in
error documents.
- d/p/CVE-2019-10092-2.patch: Add missing log numbers.
- d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
protection.
- CVE-2019-10092-1
* SECURITY UPDATE: mod_rewrite potential open redirect.
- d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
- CVE-2019-10098
* Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
CVE-2019-10081, and CVE-2019-10082 fixes:
- add d/p/mod_http2-1.14.1-backport-*.patches and
d/p/mod_http2-1.15.4-backport-*.patches
- dropped the following patches included above:
+ d/p/CVE-2018-1302.patch
+ d/p/CVE-2018-1333.patch
+ d/p/CVE-2018-11763.patch
+ d/p/CVE-2018-17189.patch
+ d/p/CVE-2019-0196.patch
-
e651ec6...
by
Andreas Hasenack
on 2019-07-16
-
Import patches-unapplied version 2.4.29-1ubuntu4.8 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: 06081c62bf15d6904f01d0e3e626e3b5bb40af4a
New changelog entries:
* d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
similarly to <0 with openssl 1.1.1
* d/p/clear-retry-flags-before-abort.patch: clear retry flags before
aborting on client-initiated reneg (LP: #1836329)
-
06081c6...
by
Andreas Hasenack
on 2019-06-28
-
Import patches-unapplied version 2.4.29-1ubuntu4.7 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: 64fe79b956209c10f0f9af747120b1f62188c352
New changelog entries:
* d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
authentication when built with openssl 1.1.1 (LP: #1833039)
-
64fe79b...
by
Marc Deslauriers
on 2019-04-03
-
Import patches-unapplied version 2.4.29-1ubuntu4.6 to ubuntu/bionic-security
Imported using git-ubuntu import.
Changelog parent: cafd33c017ea25062f023347aed73e9241a8f4a3
New changelog entries:
* SECURITY UPDATE: slowloris DoS in mod_http2
- debian/patches/CVE-2018-17189.patch: change cleanup strategy for
slave connections in modules/http2/h2_conn.c.
- CVE-2018-17189
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: read-after-free on a string compare in mod_http2
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
request method in modules/http2/h2_request.c.
- CVE-2019-0196
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-
cafd33c...
by
Andreas Hasenack
on 2018-10-10
-
Import patches-unapplied version 2.4.29-1ubuntu4.5 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: 7a4ca66b9ce3095183ac8bc28c5d484434de2bf0
New changelog entries:
* d/debhelper/apache2-maintscript-helper: fix typo in apache2_switch_mpm()'s
a2query call. (LP: #1782806)
-
7a4ca66...
by
Marc Deslauriers
on 2018-10-03
-
Import patches-unapplied version 2.4.29-1ubuntu4.4 to ubuntu/bionic-security
Imported using git-ubuntu import.
Changelog parent: e726c4c3de1290561c5a3b79ddc270ba5862ebb0
New changelog entries:
* SECURITY UPDATE: DoS in HTTP/2 via NULL pointer
- debian/patches/CVE-2018-1302.patch: remove obsolete stream detach
code in modules/http2/h2_bucket_beam.c, modules/http2/h2_stream.c,
modules/http2/h2_stream.h.
- CVE-2018-1302
* SECURITY UPDATE: DoS in HTTP/2 via worker exhaustion
- debian/patches/CVE-2018-1333.patch: always wake up any conditional
waits when streams are aborted in modules/http2/h2_bucket_beam.c.
- CVE-2018-1333
* SECURITY UPDATE: DoS in HTTP/2 via large SETTINGS frames
- debian/patches/CVE-2018-11763.patch: rework connection IO event
handling in modules/http2/h2_session.c, modules/http2/h2_session.h,
modules/http2/h2_version.h.
- CVE-2018-11763
-
e726c4c...
by
Andreas Hasenack
on 2018-06-27
-
Import patches-unapplied version 2.4.29-1ubuntu4.3 to ubuntu/bionic-proposed
Imported using git-ubuntu import.
Changelog parent: 92eb26b8a9119d35f330876fdc314690527f8964
New changelog entries:
* d/p/balance-member-long-hostname-part{1,2}.patch: Provide an RFC1035
compliant version of the hostname in the
proxy_worker_shared structure. A hostname that is too long is no longer a
fatal error. (LP: #1750356)
