httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r17503 - in /dev/httpd: Announcement2.4.html Announcement2.4.txt
Date Tue, 20 Dec 2016 18:13:12 GMT
Author: wrowe
Date: Tue Dec 20 18:13:12 2016
New Revision: 17503

Log:
Record security errata, edits in the next 45 minutes are most welcomed

Modified:
    dev/httpd/Announcement2.4.html
    dev/httpd/Announcement2.4.txt

Modified: dev/httpd/Announcement2.4.html
==============================================================================
--- dev/httpd/Announcement2.4.html (original)
+++ dev/httpd/Announcement2.4.html Tue Dec 20 18:13:12 2016
@@ -23,10 +23,33 @@
    the release of version 2.4.25 of the Apache
    HTTP Server ("Apache").  This version of Apache is our latest GA
    release of the new generation 2.4.x branch of Apache HTTPD and
-   represents fifteen years of
-   innovation by the project, and is recommended over all previous releases. This
-   release of Apache is principally a security, feature, and bug fix release.
+   represents fifteen years of innovation by the project, and is
+   recommended over all previous releases. This release of Apache is
+   a security, feature, and bug fix release, and addresses these 
+   specific security defects as well as other fixes;
 </p>
+<ul>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736">CVE-2016-0736</a>
+     mod_session_crypto: Authenticate the session data/cookie with a
+     MAC (SipHash) to prevent deciphering or tampering with a padding
+     oracle attack.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161">CVE-2016-2161</a>
+     mod_auth_digest: Prevent segfaults during client entry allocation
+     when the shared memory space is exhausted.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387">CVE-2016-5387</a>
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740">CVE-2016-8740</a>
+     mod_http2: Mitigate DoS memory exhaustion via endless
+     CONTINUATION frames.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>
+     Enforce HTTP request grammar corresponding to RFC7230 for request
+     lines and request headers, to prevent response splitting and cache
+     pollution by malicious clients or downstream proxies.
+</li>
+</ul>
 <p>
    NOTE: version 2.4.24 was not released.
 </p>

Modified: dev/httpd/Announcement2.4.txt
==============================================================================
--- dev/httpd/Announcement2.4.txt (original)
+++ dev/httpd/Announcement2.4.txt Tue Dec 20 18:13:12 2016
@@ -6,7 +6,29 @@
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
    recommended over all previous releases. This release of Apache is
-   principally a security, feature, and bug fix release.
+   a security, feature, and bug fix release, and addresses these 
+   specific security defects as well as other fixes;
+
+     CVE-2016-0736 (cve.mitre.org)
+     mod_session_crypto: Authenticate the session data/cookie with a
+     MAC (SipHash) to prevent deciphering or tampering with a padding
+     oracle attack.
+
+     CVE-2016-2161 (cve.mitre.org)
+     mod_auth_digest: Prevent segfaults during client entry allocation
+     when the shared memory space is exhausted.
+
+     CVE-2016-5387 (cve.mitre.org)
+     core: Mitigate [f]cgi "httpoxy" issues.
+
+     CVE-2016-8740 (cve.mitre.org)
+     mod_http2: Mitigate DoS memory exhaustion via endless
+     CONTINUATION frames.
+
+     CVE-2016-8743 (cve.mitre.org)
+     Enforce HTTP request grammar corresponding to RFC7230 for request
+     lines and request headers, to prevent response splitting and cache
+     pollution by malicious clients or downstream proxies.
 
    NOTE: Version 2.4.24 was not released.
    



Mime
View raw message