Ah, yes... Not sure how I made that error. Just fixed! -- Daniel Ruggeri
On August 17, 2019 9:41:42 AM CDT, Stefan Fritsch <[email protected]> wrote: >Hi, > >Shouldn't CVE-2019-10097 be listed under 2.4.41, too? > >Cheers, >Stefan > >--- httpd/httpd/branches/2.4.x/CHANGES 2019/08/14 20:43:00 1865188 >+++ httpd/httpd/branches/2.4.x/CHANGES 2019/08/14 20:52:45 1865189 >@@ -1,8 +1,39 @@ > -*- coding: >utf-8 -*- > Changes with Apache 2.4.42 > >+ *) SECURITY: CVE-2019-10097 (cve.mitre.org) >+ mod_remoteip: Fix stack buffer overflow and NULL pointer >deference >+ when reading the PROXY protocol header. [Joe Orton, >+ Daniel McCarney <cpu letsencrypt.org>] >+ > Changes with Apache 2.4.41 > >+ *) SECURITY: CVE-2019-9517 (cve.mitre.org) >+ mod_http2: a malicious client could perform a DoS attack by >flooding >+ a connection with requests and basically never reading >responses >+ on the TCP connection. Depending on h2 worker dimensioning, it >was >+ possible to block those with relatively few connections. >[Stefan Eissing] >+
