This update includes the latest upstream release of Apache httpd, version 2.4.39, including multiple bug and security fixes. To see the full list of changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.39

The following security vulnerabilities are addressed:

  • CVE-2019-0211 - MPMs unix: Fix a local priviledge escalation vulnerability by not maintaining each child's listener bucket number in the scoreboard, preventing unprivileged code like scripts run by/on the server (e.g. via mod_php) from modifying it persistently to abuse the priviledged main process.

  • CVE-2019-0215 - mod_ssl: Fix access control bypass for per-location/per-dir client certificate verification in TLSv1.3.

  • CVE-2019-0217 - mod_auth_digest: Fix a race condition checking user credentials which could allow a user with valid credentials to impersonate another, under a threaded MPM.

  • CVE-2019-0220- Merge consecutive slashes in URL's. Opt-out with MergeSlashes OFF.

How to install

sudo dnf upgrade --advisory=FEDORA-2019-a4ed7400f4

This update has been submitted for testing by luhliarik.

a year ago

This update has been pushed to testing.

a year ago

jorton edited this update.

a year ago

jorton edited this update.

a year ago

jorton edited this update.

a year ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

a year ago

jorton edited this update.

a year ago
User Icon pwalter commented & provided feedback 12 months ago
karma

Works

jorton edited this update.

New build(s):

  • httpd-2.4.39-1.1.fc28

Removed build(s):

  • httpd-2.4.39-1.fc28

Karma has been reset.

11 months ago

This update has been submitted for testing by jorton.

11 months ago

This update has been pushed to testing.

11 months ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

11 months ago

This update has been submitted for batched by jorton.

11 months ago

This update has been submitted for stable by bodhi.

11 months ago

This update has been pushed to stable.

11 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Dates
submitted
a year ago
in testing
11 months ago
in stable
11 months ago
modified
11 months ago
BZ#1694510 httpd-2.4.39 is available
0
0
BZ#1694986 CVE-2019-0211 httpd: privilege escalation from modules scripts [fedora-all]
0
0
BZ#1695046 CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 httpd: various flaws [fedora-all]
0
0
BZ#1698719 fix a regression introduced in r1740928
0
0

Automated Test Results

Test Cases

0 0 Test Case HTTPd