FEDORA-2019-a4ed7400f4

security update in Fedora 28 for httpd

Status: stable 5 months ago

This update includes the latest upstream release of Apache httpd, version 2.4.39, including multiple bug and security fixes. To see the full list of changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.39

The following security vulnerabilities are addressed:

  • CVE-2019-0211 - MPMs unix: Fix a local priviledge escalation vulnerability by not maintaining each child's listener bucket number in the scoreboard, preventing unprivileged code like scripts run by/on the server (e.g. via mod_php) from modifying it persistently to abuse the priviledged main process.

  • CVE-2019-0215 - mod_ssl: Fix access control bypass for per-location/per-dir client certificate verification in TLSv1.3.

  • CVE-2019-0217 - mod_auth_digest: Fix a race condition checking user credentials which could allow a user with valid credentials to impersonate another, under a threaded MPM.

  • CVE-2019-0220- Merge consecutive slashes in URL's. Opt-out with MergeSlashes OFF.

How to install

sudo dnf upgrade --advisory=FEDORA-2019-a4ed7400f4

Comments 15

This update has been submitted for testing by luhliarik.

This update has been pushed to testing.

jorton edited this update.

jorton edited this update.

jorton edited this update.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

jorton edited this update.

jorton edited this update.

New build(s):

  • httpd-2.4.39-1.1.fc28

Removed build(s):

  • httpd-2.4.39-1.fc28

Karma has been reset.

This update has been submitted for testing by jorton.

This update has been pushed to testing.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for batched by jorton.

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
high
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 6 months ago
in testing 5 months ago
in stable 5 months ago
modified 5 months ago

Related Bugs 4

00 #1694510 httpd-2.4.39 is available
00 #1694986 CVE-2019-0211 httpd: privilege escalation from modules scripts [fedora-all]
00 #1695046 CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 httpd: various flaws [fedora-all]
00 #1698719 fix a regression introduced in r1740928

Automated Test Results

Test Cases

00 Test Case HTTPd