FEDORA-2018-6744ca470d — security update for httpd

stable

httpd-2.4.33-2.fc28

FEDORA-2018-6744ca470d created by jorton 7 years ago for Fedora 28

This update includes the latest upstream release of the Apache HTTP Server, version 2.4.33. A number of security vulnerabilities are fixed in this release:

Low: Possible out of bound read in mod_cache_socache (CVE-2018-1303)
Low: Possible out of bound access after failure in reading the HTTP request (CVE-2018-1301)
Low: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)
Low: <FilesMatch> bypass with a trailing newline in the file name (CVE-2017-15715)
Low: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)
Moderate: Tampering of mod_session data for CGI applications (CVE-2018-1283)

For more information about changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.33

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2018-6744ca470d

This update has been submitted for testing by jorton.

7 years ago

jorton edited this update.

7 years ago

This update has been pushed to testing.

7 years ago

adamwill commented & provided feedback 7 years ago

karma

This will cause all existing deployments to fail to start: https://bugzilla.redhat.com/show_bug.cgi?id=1562413

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

7 years ago

adamwill edited this update.

New build(s):

httpd-2.4.33-2.fc28

Removed build(s):

httpd-2.4.33-1.fc28

Karma has been reset.

7 years ago

This update has been submitted for testing by adamwill.

7 years ago

alfalco provided feedback 7 years ago

karma

itamarjp commented & provided feedback 7 years ago

karma

thank you

This update has been pushed to testing.

7 years ago

danniel commented & provided feedback 7 years ago

karma

works

This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.

7 years ago

nathan95 commented & provided feedback 7 years ago

karma

works for me

frantisekz commented & provided feedback 7 years ago

karma

Works fine

besser82 commented & provided feedback 7 years ago

karma

Works great! LGTM! =)

cserpentis commented & provided feedback 7 years ago

karma

works for me

pwalter commented & provided feedback 7 years ago

karma

Works

This update has been submitted for batched by pwalter.

7 years ago

This update has been submitted for stable by bodhi.

7 years ago

This update has been pushed to stable.

7 years ago

Please login to add feedback.

Metadata

Type

security

Severity

medium

Karma

Signed

Content Type

RPM

Test Gating

passed

Autopush Settings

Unstable by Karma

-3

Stable by Karma

disabled

Stable by Time

disabled

Dates

submitted

7 years ago

in testing

7 years ago

in stable

7 years ago

modified

7 years ago

Builds

httpd-2.4.33-2.fc28

BZ#1560174 httpd-2.4.33 is available

BZ#1560396 CVE-2018-1283 httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications [fedora-all]

BZ#1560400 CVE-2018-1303 httpd: http: Out of bounds read in mod_cache_socache can allow a remote attacker to cause a denial of service [fedora-all]

BZ#1560616 CVE-2017-15710 httpd: Out of bound write in mod_authnz_ldap when using too small Accept-Language values [fedora-all]

BZ#1560618 CVE-2017-15715 httpd: <FilesMatch> bypass with a trailing newline in the file name [fedora-all]

BZ#1560635 CVE-2018-1312 httpd: Weak Digest auth nonce generation in mod_auth_digest [fedora-all]

BZ#1560644 CVE-2018-1301 httpd: Out of bound access after failure in reading the HTTP request [fedora-all]

httpd-2.4.33-2.fc28

Automated Test Results

passed

Test Cases


0	0	Test Case HTTPd