This update includes the latest upstream release of Apache httpd, version 2.4.39, including multiple bug and security fixes. To see the full list of changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.39
The following security vulnerabilities are addressed:
CVE-2019-0211
-
MPMs unix: Fix a local priviledge escalation vulnerability by not
maintaining each child's listener bucket number in the scoreboard,
preventing unprivileged code like scripts run by/on the server (e.g. via
mod_php) from modifying it persistently to abuse the priviledged main
process.
CVE-2019-0215
-
mod_ssl: Fix access control bypass for per-location/per-dir client
certificate verification in TLSv1.3.
CVE-2019-0217
-
mod_auth_digest: Fix a race condition checking user credentials which
could allow a user with valid credentials to impersonate another,
under a threaded MPM.
CVE-2019-0220
-
Merge consecutive slashes in URL's. Opt-out with
MergeSlashes OFF
.
sudo dnf upgrade --advisory=FEDORA-2019-119b14075a
Please login to add feedback.
0 | 0 | Test Case HTTPd |
This update has been submitted for testing by luhliarik.
This update has been pushed to testing.
Works here.
jorton edited this update.
jorton edited this update.
jorton edited this update.
This update has been submitted for batched by bodhi.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.
This commit: https://src.fedoraproject.org/rpms/httpd/c/b86b48c4a2a3293c0e9a8cb74e01f1827c3be904?branch=f29 breaks certbot: https://bugzilla.redhat.com/show_bug.cgi?id=1701018