httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r20606 - in /release/httpd: CHANGES_2.2 CHANGES_2.2.34 CHANGES_2.4 CHANGES_2.4.27
Date Mon, 24 Jul 2017 18:11:23 GMT
Author: wrowe
Date: Mon Jul 24 18:11:23 2017
New Revision: 20606

Log:
Refresh published www.a.o/dist/httpd/CHANGES with CVE notations

Modified:
    release/httpd/CHANGES_2.2
    release/httpd/CHANGES_2.2.34
    release/httpd/CHANGES_2.4
    release/httpd/CHANGES_2.4.27

Modified: release/httpd/CHANGES_2.2
==============================================================================
--- release/httpd/CHANGES_2.2 (original)
+++ release/httpd/CHANGES_2.2 Mon Jul 24 18:11:23 2017
@@ -1,5 +1,11 @@
                                                          -*- coding: utf-8 -*-
-Changes with Apache 2.2.34
+Changes with Apache 2.2.34 (final)
+
+  *) SECURITY: CVE-2017-9788 (cve.mitre.org)
+     mod_auth_digest: Uninitialized memory reflection.  The value placeholder
+     in [Proxy-]Authorization headers type 'Digest' was not initialized or
+     reset before or between successive key=value assignments.
+     [William Rowe]
 
   *) Allow single-char field names inadvertantly disallowed in 2.2.32.
      PR 61220. [Yann Ylavic]

Modified: release/httpd/CHANGES_2.2.34
==============================================================================
--- release/httpd/CHANGES_2.2.34 (original)
+++ release/httpd/CHANGES_2.2.34 Mon Jul 24 18:11:23 2017
@@ -1,5 +1,11 @@
                                                          -*- coding: utf-8 -*-
-Changes with Apache 2.2.34
+Changes with Apache 2.2.34 (final)
+
+  *) SECURITY: CVE-2017-9788 (cve.mitre.org)
+     mod_auth_digest: Uninitialized memory reflection.  The value placeholder
+     in [Proxy-]Authorization headers type 'Digest' was not initialized or
+     reset before or between successive key=value assignments.
+     [William Rowe]
 
   *) Allow single-char field names inadvertantly disallowed in 2.2.32.
      PR 61220. [Yann Ylavic]

Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Mon Jul 24 18:11:23 2017
@@ -2,6 +2,18 @@
 
 Changes with Apache 2.4.27
 
+  *) SECURITY: CVE-2017-9789 (cve.mitre.org)
+     mod_http2: Read after free. When under stress, closing many connections,
+     the HTTP/2 handling code would sometimes access memory after it has been
+     freed, resulting in potentially erratic behaviour.
+     [Stefan Eissing]
+
+  *) SECURITY: CVE-2017-9788 (cve.mitre.org)
+     mod_auth_digest: Uninitialized memory reflection.  The value placeholder
+     in [Proxy-]Authorization headers type 'Digest' was not initialized or
+     reset before or between successive key=value assignments.
+     [William Rowe]
+
   *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
      global variable when using Lua 5.2 or later. This was exported as a
      side effect from luaL_register, which is no longer supported as of

Modified: release/httpd/CHANGES_2.4.27
==============================================================================
--- release/httpd/CHANGES_2.4.27 (original)
+++ release/httpd/CHANGES_2.4.27 Mon Jul 24 18:11:23 2017
@@ -2,6 +2,18 @@
 
 Changes with Apache 2.4.27
 
+  *) SECURITY: CVE-2017-9789 (cve.mitre.org)
+     mod_http2: Read after free. When under stress, closing many connections,
+     the HTTP/2 handling code would sometimes access memory after it has been
+     freed, resulting in potentially erratic behaviour.
+     [Stefan Eissing]
+
+  *) SECURITY: CVE-2017-9788 (cve.mitre.org)
+     mod_auth_digest: Uninitialized memory reflection.  The value placeholder
+     in [Proxy-]Authorization headers type 'Digest' was not initialized or
+     reset before or between successive key=value assignments.
+     [William Rowe]
+
   *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
      global variable when using Lua 5.2 or later. This was exported as a
      side effect from luaL_register, which is no longer supported as of



Mime
View raw message