[CVE-2018-11803] Apache Subversion Denial of Service Vulnerability

[Troy Curtis]

This is a security notification for Apache Subversion HTTP Servers:

CVE-2018-11803
Severity: Medium
Affected Versions: Apache Subversion 1.11.0, 1.10.0 to 1.10.3

Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 
to 1.10.3 will crash after dereferencing an uninitialized pointer if the 
client omits the root path in a recursive directory listing operation. 
This issue can be triggered by any client on Subversion repositories 
configured for anonymous read access. If read access requires 
authentication, a denial of service attack can only be performed by an 
authenticated user.


The Subversion releases 1.10.4 and 1.11.1 contain the fixes for this 
vulnerability and are available immediately at:


https://dist.apache.org/repos/dist/release/subversion/?p=32084

Additional details, including patches for 1.10.3 and 1.11.0 can be found at:

https://subversion.apache.org/security/CVE-2018-11803-advisory.txt

We encourage users of Subversion to upgrade to the latest appropriate 
version as soon as reasonable.


Thanks,
- The Subversion Team

[ANNOUNCEMENT] Apache HTTP Server 2.4.38 Released

[Daniel Ruggeri]

Apache HTTP Server 2.4.38 Released

   January 22, 2019

   The Apache Software Foundation and the Apache HTTP Server Project
   are pleased to announce the release of version 2.4.38 of the Apache
   HTTP Server ("Apache").  This version of Apache is our latest GA
   release of the new generation 2.4.x branch of Apache HTTPD and
   represents fifteen years of innovation by the project, and is
   recommended over all previous releases. This release of Apache is
   a security and bug fix release.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.4.38 is available for download from:

 http://httpd.apache.org/download.cgi

   Apache 2.4 offers numerous enhancements, improvements, and performance
   boosts over the 2.2 codebase.  For an overview of new features
   introduced since 2.4 please see:

 http://httpd.apache.org/docs/trunk/new_features_2_4.html

   Please see the CHANGES_2.4 file, linked from the download page, for a
   full list of changes. A condensed list, CHANGES_2.4.38 includes only
   those changes introduced since the prior 2.4 release.  A summary of all 
   of the security vulnerabilities addressed in this and earlier releases 
   is available:

 http://httpd.apache.org/security/vulnerabilities_24.html

   This release requires the Apache Portable Runtime (APR), minimum
   version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
   require the 1.6.x version of both APR and APR-Util. The APR libraries
   must be upgraded for all features of httpd to operate correctly.

   This release builds on and extends the Apache 2.2 API.  Modules written
   for Apache 2.2 will need to be recompiled in order to run with Apache
   2.4, and require minimal or no source code changes.

 http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.

   Please note the 2.2.x branch has now passed the end of life at the Apache
   HTTP Server project and no further activity will occur including security
   patches.  Users must promptly complete their transitions to this 2.4.x
   release of httpd to benefit from further bug fixes or new features.

[ANNOUNCEMENT] HttpComponents Core 4.4.11 Released

[Oleg Kalnichevski]

The Apache HttpComponents project is pleased to announce 4.4.11 GA
release of HttpComponents Core.

This is a maintenance release that corrects a number of defects in non
blocking SSL session code that caused compatibility issues with TLSv1.3
protocol implementation shipped with Java 11.

Please note that as of 4.4 HttpCore requires Java 1.6 or newer.

IMPORTANT: Users of HttpCore 4.x GA releases are strongly encouraged to
evaluate new HttpCore 5.0 APIs and give the project developers
feedback, share critique or propose changes.

Download -

Release notes -

HttpComponents site -


About HttpComponents Core

HttpCore is a set of low level HTTP transport components that can be
used to build custom client and server side HTTP services with a
minimal footprint. HttpCore supports two I/O models: a blocking I/O
model based on the classic Java I/O and a non-blocking, event driven
I/O model based on Java NIO.