This update includes the latest upstream release of Apache httpd, version 2.4.39, including multiple bug and security fixes. To see the full list of changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.39
The following security vulnerabilities are addressed:
MPMs unix: Fix a local priviledge escalation vulnerability by not
maintaining each child's listener bucket number in the scoreboard,
preventing unprivileged code like scripts run by/on the server (e.g. via
mod_php) from modifying it persistently to abuse the priviledged main
mod_ssl: Fix access control bypass for per-location/per-dir client
certificate verification in TLSv1.3.
mod_auth_digest: Fix a race condition checking user credentials which
could allow a user with valid credentials to impersonate another,
under a threaded MPM.
Merge consecutive slashes in URL's. Opt-out with
sudo dnf upgrade --advisory=FEDORA-2019-a4ed7400f4
Please login to add feedback.
|submitted||6 months ago|
|in testing||5 months ago|
|in stable||5 months ago|
|modified||5 months ago|
|0||0||#1694510 httpd-2.4.39 is available|
|0||0||#1694986 CVE-2019-0211 httpd: privilege escalation from modules scripts [fedora-all]|
|0||0||#1695046 CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 httpd: various flaws [fedora-all]|
|0||0||#1698719 fix a regression introduced in r1740928|
|0||0||Test Case HTTPd|