This update includes the latest upstream release of Apache httpd, version 2.4.39, including multiple bug and security fixes. To see the full list of changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.39

The following security vulnerabilities are addressed:

  • CVE-2019-0211 - MPMs unix: Fix a local priviledge escalation vulnerability by not maintaining each child's listener bucket number in the scoreboard, preventing unprivileged code like scripts run by/on the server (e.g. via mod_php) from modifying it persistently to abuse the priviledged main process.

  • CVE-2019-0215 - mod_ssl: Fix access control bypass for per-location/per-dir client certificate verification in TLSv1.3.

  • CVE-2019-0217 - mod_auth_digest: Fix a race condition checking user credentials which could allow a user with valid credentials to impersonate another, under a threaded MPM.

  • CVE-2019-0220- Merge consecutive slashes in URL's. Opt-out with MergeSlashes OFF.

How to install

sudo dnf upgrade --advisory=FEDORA-2019-a4ed7400f4

This update has been submitted for testing by luhliarik.

8 months ago

This update has been pushed to testing.

8 months ago

jorton edited this update.

8 months ago

jorton edited this update.

8 months ago

jorton edited this update.

8 months ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

8 months ago

jorton edited this update.

8 months ago
User Icon pwalter commented & provided feedback 8 months ago
karma

Works

jorton edited this update.

New build(s):

  • httpd-2.4.39-1.1.fc28

Removed build(s):

  • httpd-2.4.39-1.fc28

Karma has been reset.

7 months ago

This update has been submitted for testing by jorton.

7 months ago

This update has been pushed to testing.

7 months ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

7 months ago

This update has been submitted for batched by jorton.

7 months ago

This update has been submitted for stable by bodhi.

7 months ago

This update has been pushed to stable.

7 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Dates
submitted
8 months ago
in testing
7 months ago
in stable
7 months ago
modified
7 months ago
BZ#1694510 httpd-2.4.39 is available
0
0
BZ#1694986 CVE-2019-0211 httpd: privilege escalation from modules scripts [fedora-all]
0
0
BZ#1695046 CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 httpd: various flaws [fedora-all]
0
0
BZ#1698719 fix a regression introduced in r1740928
0
0

Automated Test Results

Test Cases

0 0 Test Case HTTPd