This update includes the latest upstream release of Apache httpd, version 2.4.39, including multiple bug and security fixes. To see the full list of changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.39

The following security vulnerabilities are addressed:

  • CVE-2019-0211 - MPMs unix: Fix a local priviledge escalation vulnerability by not maintaining each child's listener bucket number in the scoreboard, preventing unprivileged code like scripts run by/on the server (e.g. via mod_php) from modifying it persistently to abuse the priviledged main process.

  • CVE-2019-0215 - mod_ssl: Fix access control bypass for per-location/per-dir client certificate verification in TLSv1.3.

  • CVE-2019-0217 - mod_auth_digest: Fix a race condition checking user credentials which could allow a user with valid credentials to impersonate another, under a threaded MPM.

  • CVE-2019-0220- Merge consecutive slashes in URL's. Opt-out with MergeSlashes OFF.

How to install

sudo dnf upgrade --advisory=FEDORA-2019-a4ed7400f4

This update has been submitted for testing by luhliarik.

a year ago

This update has been pushed to testing.

a year ago

jorton edited this update.

a year ago

jorton edited this update.

a year ago

jorton edited this update.

a year ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

a year ago

jorton edited this update.

a year ago
User Icon pwalter commented & provided feedback a year ago
karma

Works

jorton edited this update.

New build(s):

  • httpd-2.4.39-1.1.fc28

Removed build(s):

  • httpd-2.4.39-1.fc28

Karma has been reset.

a year ago

This update has been submitted for testing by jorton.

a year ago

This update has been pushed to testing.

a year ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

a year ago

This update has been submitted for batched by jorton.

a year ago

This update has been submitted for stable by bodhi.

a year ago

This update has been pushed to stable.

a year ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago
modified
a year ago
BZ#1694510 httpd-2.4.39 is available
0
0
BZ#1694986 CVE-2019-0211 httpd: privilege escalation from modules scripts [fedora-all]
0
0
BZ#1695046 CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 httpd: various flaws [fedora-all]
0
0
BZ#1698719 fix a regression introduced in r1740928
0
0

Automated Test Results

Test Cases

0 0 Test Case HTTPd