The NetBSD Project

CVS log for pkgsrc/www/apache24/distinfo

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / www / apache24

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: pkgsrc-2019Q3-base


Revision 1.41 / (download) - annotate - [select for diffs], Thu Aug 15 08:03:39 2019 UTC (4 years, 7 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2019Q4-base, pkgsrc-2019Q4, pkgsrc-2019Q3-base, pkgsrc-2019Q3
Branch point for: pkgsrc-2020Q1
Changes since 1.40: +6 -6 lines
Diff to previous 1.40 (unified)

apache24: updated to 2.4.41

Changes with Apache 2.4.41

  *) SECURITY: CVE-2019-10081 (cve.mitre.org)
     mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
     could lead to an overwrite of memory in the pushing request's pool,
     leading to crashes. The memory copied is that of the configured push
     link header values, not data supplied by the client.

  *) SECURITY: CVE-2019-9517 (cve.mitre.org)
     mod_http2: a malicious client could perform a DoS attack by flooding
     a connection with requests and basically never reading responses
     on the TCP connection. Depending on h2 worker dimensioning, it was
     possible to block those with relatively few connections.

  *) SECURITY: CVE-2019-10098 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.

  *) SECURITY: CVE-2019-10092 (cve.mitre.org)
     Remove HTML-escaped URLs from canned error responses to prevent misleading
     text/links being displayed via crafted links.

  *) SECURITY: CVE-2019-10097 (cve.mitre.org)
     mod_remoteip: Fix stack buffer overflow and NULL pointer deference
     when reading the PROXY protocol header.

  *) SECURITY: CVE-2019-10082 (cve.mitre.org)
     mod_http2: Using fuzzed network input, the http/2 session
     handling could be made to read memory after being freed,
     during connection shutdown.

  *) mod_proxy_balancer: Improve balancer-manager protection against
     XSS/XSRF attacks from trusted users.

  *) mod_session: Introduce SessionExpiryUpdateInterval which allows to
     configure the session/cookie expiry's update interval.

  *) modules/filters: Fix broken compilation when using old GCC (<4.2.x).

  *) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
     configured for a domain managed by mod_md.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>