Format: 1.8 Date: Wed, 03 Apr 2019 09:22:37 -0400 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: amd64 all Version: 2.4.29-1ubuntu4.6 Distribution: bionic Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: apache2 - Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Changes: apache2 (2.4.29-1ubuntu4.6) bionic-security; urgency=medium . * SECURITY UPDATE: slowloris DoS in mod_http2 - debian/patches/CVE-2018-17189.patch: change cleanup strategy for slave connections in modules/http2/h2_conn.c. - CVE-2018-17189 * SECURITY UPDATE: mod_session expiry time issue - debian/patches/CVE-2018-17199.patch: always decode session attributes early in modules/session/mod_session.c. - CVE-2018-17199 * SECURITY UPDATE: read-after-free on a string compare in mod_http2 - debian/patches/CVE-2019-0196.patch: disentangelment of stream and request method in modules/http2/h2_request.c. - CVE-2019-0196 * SECURITY UPDATE: privilege escalation from modules' scripts - debian/patches/CVE-2019-0211.patch: bind the bucket number of each child to its slot number in include/scoreboard.h, server/mpm/event/event.c, server/mpm/prefork/prefork.c, server/mpm/worker/worker.c. - CVE-2019-0211 * SECURITY UPDATE: mod_auth_digest access control bypass - debian/patches/CVE-2019-0217.patch: fix a race condition in modules/aaa/mod_auth_digest.c. - CVE-2019-0217 * SECURITY UPDATE: URL normalization inconsistincy - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in the path in include/http_core.h, include/httpd.h, server/core.c, server/request.c, server/util.c. - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety in server/request.c, server/util.c. - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in server/util.c. - CVE-2019-0220 Checksums-Sha1: d25dddfd267278efd4fa721f8f946c71b098734d 1071772 apache2-bin_2.4.29-1ubuntu4.6_amd64.deb 1824d3d176e7db8010216abc2f0962ac2fe5531f 159984 apache2-data_2.4.29-1ubuntu4.6_all.deb 6711bfd8685088382b19582bbeb0f3d0dec18876 3966448 apache2-dbg_2.4.29-1ubuntu4.6_amd64.deb c1c95f1b9b0409b804276f3b241f19d8bba17fec 177044 apache2-dev_2.4.29-1ubuntu4.6_amd64.deb 9597d3766f7ffb00667e66ad04cb6e27bfae657b 3696972 apache2-doc_2.4.29-1ubuntu4.6_all.deb 2d6d3c7d6cfc793c44bff522d3f652d85c4dbf76 2392 apache2-ssl-dev_2.4.29-1ubuntu4.6_amd64.deb a60d7d2ebafa511a6a0c99caf7471c2fda67496a 15364 apache2-suexec-custom_2.4.29-1ubuntu4.6_amd64.deb 2e4f4460c0cc4c7ee2694624d477461f73f52276 13872 apache2-suexec-pristine_2.4.29-1ubuntu4.6_amd64.deb 1aa7b6bde2fdc44c72021ad21d3dc8c95cf6eb4e 83488 apache2-utils_2.4.29-1ubuntu4.6_amd64.deb a2df38f6bc6926aa3742966af7694c458ee69465 10524 apache2_2.4.29-1ubuntu4.6_amd64.buildinfo a416440fb67a568c146b372dc1232a772ff019c0 95080 apache2_2.4.29-1ubuntu4.6_amd64.deb Checksums-Sha256: f63fab10642f9a244d769cf75f2e148b7e8b91bb9cafeb55239c4ed70ccb82a4 1071772 apache2-bin_2.4.29-1ubuntu4.6_amd64.deb 594070814770a028a9eb3924d02b22fcb818d83b311710aaac304a9064479292 159984 apache2-data_2.4.29-1ubuntu4.6_all.deb d6d84e3208907da3f08a02652f45b64e4c9b64f96dac617daba8c4368f5559f4 3966448 apache2-dbg_2.4.29-1ubuntu4.6_amd64.deb d7c3b2556bb307dc3380ba773815ef44388c99a1a4b1f07535ba402a7804ceb0 177044 apache2-dev_2.4.29-1ubuntu4.6_amd64.deb 69a16b64a20f6b9b294a50bf6054b539b98b757f0a17881b5e9900442e7451ba 3696972 apache2-doc_2.4.29-1ubuntu4.6_all.deb 71b469415db581e5bf4befaf387a50fec2816ab05bdaf6c3ba9f42be26bf6a94 2392 apache2-ssl-dev_2.4.29-1ubuntu4.6_amd64.deb b93a8df99a4d672d0c703b528ae6ce1093ba42714db6714894832a8f53edd46d 15364 apache2-suexec-custom_2.4.29-1ubuntu4.6_amd64.deb 5521e10d360fb811ec73cdb81a80a4df68f2134908efb3c193383bb20a5c2aa3 13872 apache2-suexec-pristine_2.4.29-1ubuntu4.6_amd64.deb a50f16254b76f86c9a5f4a9edb03c3534fe1a08fb2164a555541c1789dd53554 83488 apache2-utils_2.4.29-1ubuntu4.6_amd64.deb 6fb6bf38b1fa9658c174b81ed57f8941939c91a2c166420cf9083b9e6ebf1625 10524 apache2_2.4.29-1ubuntu4.6_amd64.buildinfo 625225a2dc924274191a67587eab229da78277c9bcdb289c022a56881f5ce8a8 95080 apache2_2.4.29-1ubuntu4.6_amd64.deb Files: bcd340e38ba3b6baa2e54fff6c22877f 1071772 httpd optional apache2-bin_2.4.29-1ubuntu4.6_amd64.deb 7d4e4ad49eb6c5014d5453721573e637 159984 httpd optional apache2-data_2.4.29-1ubuntu4.6_all.deb bd980af5eb8b9e6421055f9c433929bb 3966448 debug optional apache2-dbg_2.4.29-1ubuntu4.6_amd64.deb ab243426ff0a91066d67158963898872 177044 httpd optional apache2-dev_2.4.29-1ubuntu4.6_amd64.deb 530b93cc8f15dbbdee78f8bdc5a29d14 3696972 doc optional apache2-doc_2.4.29-1ubuntu4.6_all.deb c75be04f508835234e6ba1e2c8c7e8e0 2392 httpd optional apache2-ssl-dev_2.4.29-1ubuntu4.6_amd64.deb 9e70f7ead26df2d66ada9598eed877c9 15364 httpd optional apache2-suexec-custom_2.4.29-1ubuntu4.6_amd64.deb c062514a93325feb001eec63b7d23296 13872 httpd optional apache2-suexec-pristine_2.4.29-1ubuntu4.6_amd64.deb 32e260411ed06078156076d34663c141 83488 httpd optional apache2-utils_2.4.29-1ubuntu4.6_amd64.deb 21664da90ee89174e741254ea04f3114 10524 httpd optional apache2_2.4.29-1ubuntu4.6_amd64.buildinfo 1d9a0533eaba57af6f010285bd044b04 95080 httpd optional apache2_2.4.29-1ubuntu4.6_amd64.deb Original-Maintainer: Debian Apache Maintainers