Back to apache2 PTS page

Accepted apache2 2.4.38-3 (source amd64 all) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted apache2 2.4.38-3 (source amd64 all) into unstable
From: Stefan Fritsch <sf@debian.org>
Date: Sun, 07 Apr 2019 19:34:16 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1hDDYW-00039v-Bn@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Apr 2019 20:15:40 +0200
Source: apache2
Binary: apache2 apache2-bin apache2-bin-dbgsym apache2-data apache2-dev apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-custom-dbgsym apache2-suexec-pristine apache2-suexec-pristine-dbgsym apache2-utils apache2-utils-dbgsym libapache2-mod-md libapache2-mod-proxy-uwsgi
Architecture: source amd64 all
Version: 2.4.38-3
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 libapache2-mod-md - transitional package
 libapache2-mod-proxy-uwsgi - transitional package
Changes:
 apache2 (2.4.38-3) unstable; urgency=high
 .
   [ Marc Deslauriers ]
   * SECURITY UPDATE: read-after-free on a string compare in mod_http2
     - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
       request method in modules/http2/h2_request.c.
     - CVE-2019-0196
   * SECURITY UPDATE: privilege escalation from modules' scripts
     - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
       child to its slot number in include/scoreboard.h,
       server/mpm/event/event.c, server/mpm/prefork/prefork.c,
       server/mpm/worker/worker.c.
     - CVE-2019-0211
   * SECURITY UPDATE: mod_ssl access control bypass
     - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
       PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
     - CVE-2019-0215
   * SECURITY UPDATE: mod_auth_digest access control bypass
     - debian/patches/CVE-2019-0217.patch: fix a race condition in
       modules/aaa/mod_auth_digest.c.
     - CVE-2019-0217
   * SECURITY UPDATE: URL normalization inconsistincy
     - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
       the path in include/http_core.h, include/httpd.h, server/core.c,
       server/request.c, server/util.c.
     - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
       in server/request.c, server/util.c.
     - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
       server/util.c.
     - CVE-2019-0220
 .
   [ Stefan Fritsch ]
   * Pull security fixes from 2.4.39 via Ubuntu
   * CVE-2019-0197: mod_http2: Fix possible crash on late upgrade
Checksums-Sha1:
 1ab2869e47c84994906c900ab999cbd6d45d2c10 3478 apache2_2.4.38-3.dsc
 bb42f56e0716ca824776a6452b98b4a49956f711 488 apache2_2.4.38.orig.tar.gz.asc
 de0ad319db2cf9bdd64c162245fe98f30ca7089e 1021924 apache2_2.4.38-3.debian.tar.xz
 c09e9a894b32a65d4d70a100dce06c857afaa06b 4724488 apache2-bin-dbgsym_2.4.38-3_amd64.deb
 e2713d648eca25e90d9e750562ccfbd6ff3f4caa 1310008 apache2-bin_2.4.38-3_amd64.deb
 7848ba2c4a0c68c057cfb20b8eb0842d1700a183 165180 apache2-data_2.4.38-3_all.deb
 f109d197bdae7c604fe34b033b4680d6ea54c895 330784 apache2-dev_2.4.38-3_amd64.deb
 59d11126b4b5c6baacb2e93afd7cf5d5b1c96acb 3989776 apache2-doc_2.4.38-3_all.deb
 cb56f9341b4ff1e08fa8cc38f04cd6c49b9fb222 2340 apache2-ssl-dev_2.4.38-3_amd64.deb
 d405a37ee20e5fe9aa35bc47c36b8738505f6bc3 12852 apache2-suexec-custom-dbgsym_2.4.38-3_amd64.deb
 8c30477886e4f769472a1f3139639781b4767468 171264 apache2-suexec-custom_2.4.38-3_amd64.deb
 c43b8983c1671bb005220bf32c006809a4ab5f91 11580 apache2-suexec-pristine-dbgsym_2.4.38-3_amd64.deb
 48cdfc3b32feaeb1739f8b3b72fe9220d1c3a560 169700 apache2-suexec-pristine_2.4.38-3_amd64.deb
 f08e8dc75edae0f234ea485e2d57c3d9b553137b 137720 apache2-utils-dbgsym_2.4.38-3_amd64.deb
 c6ccc0749850c275a806b35cea668c03e4acc0d0 236300 apache2-utils_2.4.38-3_amd64.deb
 5739fcea2f9b47472ea4a6dcbb5a824034f542fe 11754 apache2_2.4.38-3_amd64.buildinfo
 34fb57fc25c9bb6ffd502c58894f4025d007a1a0 251104 apache2_2.4.38-3_amd64.deb
 77cefc923b63229aeb90a05f2df7ecc0e24f5575 940 libapache2-mod-md_2.4.38-3_amd64.deb
 29f2a4ecb66f5ba8734c03cfe262ab2044d7c5de 1128 libapache2-mod-proxy-uwsgi_2.4.38-3_amd64.deb
Checksums-Sha256:
 84368067c7ed482afc697ffd5fecb92bde27cc4e04895e90469e2a2273921d2d 3478 apache2_2.4.38-3.dsc
 4931fdd5833dc79592edd351047b9f153e3bac4323157e3f5d733d276d2a4997 488 apache2_2.4.38.orig.tar.gz.asc
 67b3783fa909aab3c1e8f4b9ebb377407859fc2ac6623ea892b2d23a11532c9c 1021924 apache2_2.4.38-3.debian.tar.xz
 f3980a46faf8ff28fa3ccccf33453f8371b1d3b427b7138383ed9bb359fb3f15 4724488 apache2-bin-dbgsym_2.4.38-3_amd64.deb
 ef8bbba49075e2fe7bd9e1f3336b9cdab7862e1ee9de28142f428b4e34d51332 1310008 apache2-bin_2.4.38-3_amd64.deb
 7b2d00c0536e9a7f2f3d07bda3db9736f9bcdc365ccc3fab792ac9a2630ea195 165180 apache2-data_2.4.38-3_all.deb
 e4586d0ea515eaa77f43a39e957225ae7fd190a9971117505746a4888256fcc8 330784 apache2-dev_2.4.38-3_amd64.deb
 aef94d25e4cc7c06849befb701574fbcc35bc89a67c6cdd30ea3f4e5bf86233a 3989776 apache2-doc_2.4.38-3_all.deb
 9301878b9837412e0ecad86a4466fb48bac6555ca30b0cfab444b007c94651cc 2340 apache2-ssl-dev_2.4.38-3_amd64.deb
 4ff68f832b8d290858dbcbb798357439e416bda970b40bb8915fa557f5a38464 12852 apache2-suexec-custom-dbgsym_2.4.38-3_amd64.deb
 fc96f56dbeabbf412e2af9067ced3c9d7ddbbbce9b146f4c0e3924a9ec036ed8 171264 apache2-suexec-custom_2.4.38-3_amd64.deb
 fe31e8d131e6771138413cf20bb397908a7f21fa312e2ebc2ed3382a438406a9 11580 apache2-suexec-pristine-dbgsym_2.4.38-3_amd64.deb
 264d3596e7e2c0dbc31c3c3573367ac5a943016e64c2223f9704d7e7ffa4ca01 169700 apache2-suexec-pristine_2.4.38-3_amd64.deb
 4d0c47b330050ed348def2d422d829d3c89fb45272b118f01eb24b8711538063 137720 apache2-utils-dbgsym_2.4.38-3_amd64.deb
 18a800ae4434cd58ee98d860d2e08fb21b9546afcdf21d983eb6910279299c7a 236300 apache2-utils_2.4.38-3_amd64.deb
 546377554dbd712b75e4697920517e0ce5b4907de32908108280ab30bb3d1456 11754 apache2_2.4.38-3_amd64.buildinfo
 8ad1f508f958156e9bc3f4d7b828051e85e6102774743332fb38a794d4a4e402 251104 apache2_2.4.38-3_amd64.deb
 d841cd4a55ce30684553d85aec44e1191ccd602277d459212a5ee4ad3f911863 940 libapache2-mod-md_2.4.38-3_amd64.deb
 49790eb1bba381222d3a484a28df47c293ca96dcd673043c64a630f38c664114 1128 libapache2-mod-proxy-uwsgi_2.4.38-3_amd64.deb
Files:
 cccbc69d7aeddea1703278169b86ced5 3478 httpd optional apache2_2.4.38-3.dsc
 6933fc9cc71319ec87333b7e44b319ec 488 httpd optional apache2_2.4.38.orig.tar.gz.asc
 44b9208294ef535a641177fa17e23e25 1021924 httpd optional apache2_2.4.38-3.debian.tar.xz
 5f6a4571ce1e0708c68606546be0249b 4724488 debug optional apache2-bin-dbgsym_2.4.38-3_amd64.deb
 edc84055cf86d3eab8a0657074f4e63e 1310008 httpd optional apache2-bin_2.4.38-3_amd64.deb
 2b9c77c6062c73bb495ffeaf76eb3667 165180 httpd optional apache2-data_2.4.38-3_all.deb
 6cedb6bf5b45a01fd0c25b18983cf126 330784 httpd optional apache2-dev_2.4.38-3_amd64.deb
 21f0d19cd796ee6ba36f6c3e4a857e94 3989776 doc optional apache2-doc_2.4.38-3_all.deb
 77512c750590f9af53bd8da60c5c26f7 2340 httpd optional apache2-ssl-dev_2.4.38-3_amd64.deb
 f5060c5c4b1b66ed9db152353e26f01b 12852 debug optional apache2-suexec-custom-dbgsym_2.4.38-3_amd64.deb
 8ed23b3226e72eaecd10e2451aacf9a3 171264 httpd optional apache2-suexec-custom_2.4.38-3_amd64.deb
 2d9498354ef17749419919454ed9ab35 11580 debug optional apache2-suexec-pristine-dbgsym_2.4.38-3_amd64.deb
 71c32af2d9f3cbadd9c63cb4439f593b 169700 httpd optional apache2-suexec-pristine_2.4.38-3_amd64.deb
 e5dbee2942369e1b0b898b9579b2c49d 137720 debug optional apache2-utils-dbgsym_2.4.38-3_amd64.deb
 1b64e9a40c453e0ad26e075f33c44b3a 236300 httpd optional apache2-utils_2.4.38-3_amd64.deb
 dc71599ad9b7989b10d1ee52bd2b0f00 11754 httpd optional apache2_2.4.38-3_amd64.buildinfo
 d91fc1b93d453ded3ba73dd8502aad63 251104 httpd optional apache2_2.4.38-3_amd64.deb
 ca09129386b82e485b2a3b14b4028a8a 940 oldlibs optional libapache2-mod-md_2.4.38-3_amd64.deb
 cfbd527941a125d8191afa05a75fe606 1128 oldlibs optional libapache2-mod-proxy-uwsgi_2.4.38-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlyqS6MACgkQxodfNUHO
/eCg/w/+IBzlwkCbRpz8SkNutoMBMoP975LfUxkjv+4te/K74tKVhdv3DRy8bk0g
Cgzyi5sbbTbCnalk0IuK/jIuTaaGRblDeMaY96ovyrJcMURhnSVz0c/qhLt3jn5T
EuNSEWRYQaqTSMOlkdlDnWYZDQL1JVMuM5mvwg4znc80SnDnhN94j7iaBJPapief
cXbPAggS4u7F041Ajzb6kyQHIzmL/+kSXckd7Q9mjEIfSw/zTP9R8StE6cwWtbTP
pYf40+dEVuX3uQ9RQPX8coDx7umBob7ptD8SWoV3LMEX0wuxGPQKD9pF4x4JPFmt
nR+SYtKFsiPhJMmCHich9DMLQ9KOfk4OUATqWX+tndiKiBHIiSa9rOkqO+SS7HYP
HZe31eaxr9UpAh2N45mQbr93yYaXd3p6BZ2xqD0h+v0pLADMc74oMBcbMszRB7TA
Hs+LDdKiBG6kAAkgDZeWR6KuJkqJYzvUSeO+n594egk/Iw9oTVQAW9R7VEQeWAbc
TM0x+H7c5/dbIQnfKPK9Wh6cI1GB1XMzw9SKUsZqp54JhFMhm4+oqEVAqavpoIdi
Rnf/0euGLfEIJzzu+OhRIctkRqgqRmNXSx27KmIZNplveG+uJWoV8hd9Ig4SwWh7
jO6c71hVzrO7mcESuVcVRpWjF+4q2SEfgOdJVAjGc2wnK55AvDw=
=9Bg7
-----END PGP SIGNATURE-----