-
77680cd...
by
Steve Beattie
on 2019-09-16
-
Import patches-unapplied version 2.4.18-2ubuntu3.13 to ubuntu/xenial-security
Imported using git-ubuntu import.
Changelog parent: 9753035d2b58c6df6e643f1c86517ba839118265
New changelog entries:
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some configurations (LP: #1842701)
- drop d/p/CVE-2019-10092-3.patch
-
9753035...
by
Steve Beattie
on 2019-08-26
-
Import patches-unapplied version 2.4.18-2ubuntu3.12 to ubuntu/xenial-security
Imported using git-ubuntu import.
Changelog parent: 718e5625748d3e7515c8ebd6ed821eebec5e2e9e
New changelog entries:
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-2019-10092-1.patch: Remove request details from built-in
error documents.
- d/p/CVE-2019-10092-2.patch: Add missing log numbers.
- d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
protection.
- CVE-2019-10092
* SECURITY UPDATE: mod_rewrite potential open redirect.
- d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
- CVE-2019-10098
-
718e562...
by
Marc Deslauriers
on 2019-04-03
-
Import patches-unapplied version 2.4.18-2ubuntu3.10 to ubuntu/xenial-security
Imported using git-ubuntu import.
Changelog parent: d7a2c9922f3a2122925aa4b3b2aa3b47a52eb920
New changelog entries:
* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199.patch: always decode session attributes
early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: privilege escalation from modules' scripts
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
child to its slot number in include/scoreboard.h,
server/mpm/event/event.c, server/mpm/prefork/prefork.c,
server/mpm/worker/worker.c.
- CVE-2019-0211
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in
modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
the path in include/http_core.h, include/httpd.h, server/core.c,
server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
server/util.c.
- CVE-2019-0220
-
d7a2c99...
by
Andreas Hasenack
on 2018-06-07
-
Import patches-unapplied version 2.4.18-2ubuntu3.9 to ubuntu/xenial-proposed
Imported using git-ubuntu import.
Changelog parent: 70003688226c7b2b0040a7bb651616a86e4f1b50
New changelog entries:
* debian/patches/includeoptional-ignore-non-existent.patch: silently
ignore a not existent file path with IncludeOptional . Closes LP:
#1766186.
-
7000368...
by
Marc Deslauriers
on 2018-04-18
-
Import patches-unapplied version 2.4.18-2ubuntu3.8 to ubuntu/xenial-security
Imported using git-ubuntu import.
Changelog parent: ad98b12e5bbe8e87b62464dc6422eb7b01ace3a5
New changelog entries:
* SECURITY UPDATE: DoS via missing header with AuthLDAPCharsetConfig
- debian/patches/CVE-2017-15710.patch: fix language long names
detection as short name in modules/aaa/mod_authnz_ldap.c.
- CVE-2017-15710
* SECURITY UPDATE: incorrect <FilesMatch> matching
- debian/patches/CVE-2017-15715-pre.patch: add ap_cstr_casecmp[n]() to
include/httpd.h, server/util.c.
- debian/patches/CVE-2017-15715.patch: allow to configure
global/default options for regexes, like caseless matching or
extended format in include/ap_regex.h, server/core.c,
server/util_pcre.c.
- CVE-2017-15715
* SECURITY UPDATE: mod_session header manipulation
- debian/patches/CVE-2018-1283.patch: strip Session header when
SessionEnv is on in modules/session/mod_session.c.
- CVE-2018-1283
* SECURITY UPDATE: DoS via specially-crafted request
- debian/patches/CVE-2018-1301.patch: ensure that read lines are NUL
terminated on any error, not only on buffer full in
server/protocol.c.
- CVE-2018-1301
* SECURITY UPDATE: mod_cache_socache DoS
- debian/patches/CVE-2018-1303.patch: fix caching of empty headers up
to carriage return in modules/cache/mod_cache_socache.c.
- CVE-2018-1303
* SECURITY UPDATE: insecure nonce generation
- debian/patches/CVE-2018-1312.patch: actually use the secret when
generating nonces in modules/aaa/mod_auth_digest.c.
- CVE-2018-1312
-
ad98b12...
by
Rafael David Tinoco
on 2018-03-01
-
Import patches-unapplied version 2.4.18-2ubuntu3.7 to ubuntu/xenial-proposed
Imported using git-ubuntu import.
Changelog parent: 1b78f08b4e9adf6bec26ed6ae6ed85a0fc1c5ebd
New changelog entries:
* Avoid crashes, hangs and loops by fixing mod_ldap locking: (LP: #1752683)
- added debian/patches/util_ldap_cache_lock_fix.patch
-
1b78f08...
by
Marc Deslauriers
on 2017-09-18
-
Import patches-unapplied version 2.4.18-2ubuntu3.5 to ubuntu/xenial-security
Imported using git-ubuntu import.
Changelog parent: 910037212e26d3d24ffd68cf603774b05846e16b
New changelog entries:
* SECURITY UPDATE: optionsbleed information leak
- debian/patches/CVE-2017-9798.patch: disallow method registration
at run time in server/core.c.
- CVE-2017-9798
-
9100372...
by
Marc Deslauriers
on 2017-07-27
-
Import patches-unapplied version 2.4.18-2ubuntu3.4 to ubuntu/xenial-security
Imported using git-ubuntu import.
Changelog parent: fa59408214f5788af92a23d2dd17ac03559b4cba
New changelog entries:
* SECURITY UPDATE: uninitialized memory reflection in mod_auth_digest
- debian/patches/CVE-2017-9788.patch: correct string scope in
modules/aaa/mod_auth_digest.c.
- CVE-2017-9788
-
fa59408...
by
Marc Deslauriers
on 2017-06-26
-
Import patches-unapplied version 2.4.18-2ubuntu3.3 to ubuntu/xenial-security
Imported using git-ubuntu import.
Changelog parent: 674de8a5e180015cc60cb09267fcf60f72c5745c
New changelog entries:
* SECURITY UPDATE: authentication bypass in ap_get_basic_auth_pw()
- debian/patches/CVE-2017-3167.patch: deprecate and replace
ap_get_basic_auth_pw in include/ap_mmn.h, include/http_protocol.h,
server/protocol.c, server/request.c.
- CVE-2017-3167
* SECURITY UPDATE: NULL pointer deref in ap_hook_process_connection()
- debian/patches/CVE-2017-3169.patch: fix ctx passed to
ssl_io_filter_error() in modules/ssl/ssl_engine_io.c.
- CVE-2017-3169
* SECURITY UPDATE: denial of service and possible incorrect value return
in HTTP strict parsing changes
- debian/patches/CVE-2017-7668.patch: short-circuit on NULL in
server/util.c.
- CVE-2017-7668
* SECURITY UPDATE: mod_mime DoS via crafted Content-Type response header
- debian/patches/CVE-2017-7679.patch: fix quoted pair scanning in
modules/http/mod_mime.c.
- CVE-2017-7679
-
674de8a...
by
Marc Deslauriers
on 2017-05-05
-
Import patches-unapplied version 2.4.18-2ubuntu3.2 to ubuntu/xenial-security
Imported using git-ubuntu import.
Changelog parent: 79adcb376bae737ff27723285aba2b5d8f338b53
New changelog entries:
* SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue
- debian/patches/CVE-2016-0736.patch: authenticate the session
data/cookie with a MAC in modules/session/mod_session_crypto.c.
- CVE-2016-0736
* SECURITY UPDATE: denial of service via malicious mod_auth_digest input
- debian/patches/CVE-2016-2161.patch: improve memory handling in
modules/aaa/mod_auth_digest.c.
- CVE-2016-2161
* SECURITY UPDATE: response splitting and cache pollution issue via
incomplete RFC7230 HTTP request grammar enforcing
- debian/patches/CVE-2016-8743.patch: enfore stricter parsing in
include/http_core.h, include/http_protocol.h, include/httpd.h,
modules/http/http_filters.c, server/core.c, server/gen_test_char.c,
server/protocol.c, server/util.c, server/vhost.c.
- debian/patches/hostnames_with_underscores.diff: relax hostname
restrictions in server/vhost.c.
- CVE-2016-8743
* WARNING: The fix for CVE-2016-8743 introduces a behavioural change and
may introduce compatibility issues with clients that do not strictly
follow specifications. A new configuration directive,
"HttpProtocolOptions Unsafe" can be used to re-enable some of the less
strict parsing restrictions, at the expense of security.
