While in many projects it is just a rebuild, here it is quite some code.
>From changes in 2.4.36:
106 *) SECURITY: CVE-2019-0215 (cve.mitre.org)
107 mod_ssl: Fix access control bypass for per-location/per-dir client
108 certificate verification in TLSv1.3.
=> commit
https://github.com/apache/httpd/commit/84edf5f49db23ced03259812bbf9426685f7d82a
294 *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
295 behavioural changes compared to v1.2 and earlier; client and
296 configuration changes should be expected. SSLCipherSuite is
297 enhanced for TLSv1.3 ciphers, but applies at vhost level only.
298 [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
=> branch https://github.com/apache/httpd/commits/tlsv1.3-for-2.4.x
I'm not sure on this one ...
It won't be easy and the fallout might be high.
It almost seems safer to consider MREing something >=2.4.36 completely.
But all of that is up to the security Teams guidance anyway.
Waiting on them to comment.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-0215
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845263
Title:
[wishlist] Add TLSv1.3 support to apache2 on Bionic
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
