Ubuntu
apache2 package

  1. Bionic (18.04)
  2. Bug #1845263
  3. Comment #5

Comment 5 for bug 1845263

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

While in many projects it is just a rebuild, here it is quite some code.

From changes in 2.4.36:
 106 *) SECURITY: CVE-2019-0215 (cve.mitre.org)
 107 mod_ssl: Fix access control bypass for per-location/per-dir client
 108 certificate verification in TLSv1.3.
=> commit https://github.com/apache/httpd/commit/84edf5f49db23ced03259812bbf9426685f7d82a

 294 *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
 295 behavioural changes compared to v1.2 and earlier; client and
 296 configuration changes should be expected. SSLCipherSuite is
 297 enhanced for TLSv1.3 ciphers, but applies at vhost level only.
 298 [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
=> branch https://github.com/apache/httpd/commits/tlsv1.3-for-2.4.x

I'm not sure on this one ...
It won't be easy and the fallout might be high.
It almost seems safer to consider MREing something >=2.4.36 completely.

But all of that is up to the security Teams guidance anyway.
Waiting on them to comment.