The announcement message was also rejected by moderators because we don't have KEYS directly linked on the download page.
I will correct both (about three hrs from now) and reattempt announcement. -- Daniel Ruggeri On April 2, 2019 1:01:31 AM CDT, Marion et Christophe JAILLET <christophe.jail...@wanadoo.fr> wrote: >Hi, > > > >CHANGES_2.4 has been updated with the SECURITY tags and is available >from httpd.a.o. > >However, http://www.apache.org/dist/httpd/CHANGES_2.4.39 still reflects >the file without these SECURITY items. > > > >I won't be able to update it before Friday, so feel free to fix it in >the meantime. > > > >CJ > > > > > > > >> Message du 02/04/19 03:04 >> De : drugg...@apache.org >> A : c...@httpd.apache.org >> Copie à : >> Objet : svn commit: r33393 - /release/httpd/CHANGES_2.4 >> >> Author: druggeri >> Date: Tue Apr 2 01:04:50 2019 >> New Revision: 33393 >> >> Log: >> Correct changelog for vulnerabilities >> >> Modified: >> release/httpd/CHANGES_2.4 >> >> Modified: release/httpd/CHANGES_2.4 >> >============================================================================== >> --- release/httpd/CHANGES_2.4 (original) >> +++ release/httpd/CHANGES_2.4 Tue Apr 2 01:04:50 2019 >> @@ -1,13 +1,50 @@ >> -*- coding: utf-8 -*- >> Changes with Apache 2.4.39 >> + *) SECURITY: CVE-2019-0197 (cve.mitre.org) >> + mod_http2: fixes a possible crash when HTTP/2 was enabled for a >http: >> + host or H2Upgrade was enabled for h2 on a https: host. An Upgrade >> + request from http/1.1 to http/2 that was not the first request on a >> + connection could lead to a misconfiguration and crash. Servers that >> + never enabled the h2 protocol or only enabled it for https: and >> + did not set "H2Upgrade on" are unaffected by this issue. >> + [Stefan Eissing] >> + >> + *) SECURITY: CVE-2019-0196 (cve.mitre.org) >> + mod_http2: using fuzzed network input, the http/2 request >> + handling could be made to access freed memory in string >> + comparision when determining the method of a request and >> + thus process the request incorrectly. [Stefan Eissing] >> + >> + *) SECURITY: CVE-2019-0211 (cve.mitre.org) >> + MPMs unix: Fix a local priviledge escalation vulnerability by not >> + maintaining each child's listener bucket number in the scoreboard, >> + preventing unprivileged code like scripts run by/on the server >(e.g. via >> + mod_php) from modifying it persistently to abuse the priviledged >main >> + process. [Charles Fol , Yann Ylavic] >> + >> + *) SECURITY: CVE-2019-0196 (cve.mitre.org) >> + mod_http2: using fuzzed network input, the http/2 request >> + handling could be made to access freed memory in string >> + comparision when determining the method of a request and >> + thus process the request incorrectly. [Stefan Eissing] >> + >> + *) SECURITY: CVE-2019-0217 (cve.mitre.org) >> + mod_auth_digest: Fix a race condition checking user credentials >which >> + could allow a user with valid credentials to impersonate another, >> + under a threaded MPM. PR 63124. [Simon Kappel ] >> + >> + *) SECURITY: CVE-2019-0215 (cve.mitre.org) >> + mod_ssl: Fix access control bypass for per-location/per-dir client >> + certificate verification in TLSv1.3. >> + >> + *) SECURITY: CVE-2019-0220 (cve.mitre.org) >> + Merge consecutive slashes in URL's. Opt-out with >> + `MergeSlashes OFF`. [Eric Covener] >> >> *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a >backend >> connection is recycled/reused to avoid a possible crash with some >SSLProxy >> configurations in or context. PR 63256. [Yann Ylavic] >> >> - *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA >failure. >> - [Michael Kaufmann ] >> - >> *) mod_log_config: Support %{c}h for conn-hostname, %h for >useragent_host >> PR 55348 >> >> @@ -59,13 +96,6 @@ Changes with Apache 2.4.39 >> *) mod_cache_socache: Avoid reallocations and be safe with outgoing >data >> lifetime. [Yann Ylavic] >> >> - *) MPMs unix: bind the bucket number of each child to its slot >number, for a >> - more efficient per bucket maintenance. [Yann Ylavic] >> - >> - *) mod_auth_digest: Fix a race condition. Authentication with valid >> - credentials could be refused in case of concurrent accesses from >> - different users. PR 63124. [Simon Kappel ] >> - >> *) mod_http2: enable re-use of slave connections again. Fixed slave >connection >> keepalives counter. [Stefan Eissing] >> >> >> >>