Format: 1.8 Date: Wed, 03 Apr 2019 09:22:37 -0400 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: i386 Version: 2.4.29-1ubuntu4.6 Distribution: bionic Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: apache2 - Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Changes: apache2 (2.4.29-1ubuntu4.6) bionic-security; urgency=medium . * SECURITY UPDATE: slowloris DoS in mod_http2 - debian/patches/CVE-2018-17189.patch: change cleanup strategy for slave connections in modules/http2/h2_conn.c. - CVE-2018-17189 * SECURITY UPDATE: mod_session expiry time issue - debian/patches/CVE-2018-17199.patch: always decode session attributes early in modules/session/mod_session.c. - CVE-2018-17199 * SECURITY UPDATE: read-after-free on a string compare in mod_http2 - debian/patches/CVE-2019-0196.patch: disentangelment of stream and request method in modules/http2/h2_request.c. - CVE-2019-0196 * SECURITY UPDATE: privilege escalation from modules' scripts - debian/patches/CVE-2019-0211.patch: bind the bucket number of each child to its slot number in include/scoreboard.h, server/mpm/event/event.c, server/mpm/prefork/prefork.c, server/mpm/worker/worker.c. - CVE-2019-0211 * SECURITY UPDATE: mod_auth_digest access control bypass - debian/patches/CVE-2019-0217.patch: fix a race condition in modules/aaa/mod_auth_digest.c. - CVE-2019-0217 * SECURITY UPDATE: URL normalization inconsistincy - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in the path in include/http_core.h, include/httpd.h, server/core.c, server/request.c, server/util.c. - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety in server/request.c, server/util.c. - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in server/util.c. - CVE-2019-0220 Checksums-Sha1: 6d1d61d1b4a83417cc9c55c2a174b3fe2ab04c38 1140648 apache2-bin_2.4.29-1ubuntu4.6_i386.deb bf46d525fc4af12566c3bc74e163fef728234cfb 3553520 apache2-dbg_2.4.29-1ubuntu4.6_i386.deb 98649454661c5e0d7a0d18796793514827e8b319 177044 apache2-dev_2.4.29-1ubuntu4.6_i386.deb 3cb0ae720c2cd8ef0022275f5af3b91002c26d59 2392 apache2-ssl-dev_2.4.29-1ubuntu4.6_i386.deb 2f20785d62ba7290b79ac407cf3a72fb564fd3c9 15304 apache2-suexec-custom_2.4.29-1ubuntu4.6_i386.deb c283be4286ceed536c19b88ba3cad1b1a643f5dd 13752 apache2-suexec-pristine_2.4.29-1ubuntu4.6_i386.deb 244ffad7734741c53600255205bd9c2bf2b891c4 87984 apache2-utils_2.4.29-1ubuntu4.6_i386.deb 2c60eec18bf9a78c17f3fb73ea10136945e46781 9862 apache2_2.4.29-1ubuntu4.6_i386.buildinfo da5f4b560087c5969d0e05a9c4614388db7cf794 95092 apache2_2.4.29-1ubuntu4.6_i386.deb Checksums-Sha256: b3d703d13398f707ed783e087eafc6c9ece272e3d4f013f80f774aebfaf153d5 1140648 apache2-bin_2.4.29-1ubuntu4.6_i386.deb 29e4b72b2dfc977dcc5267a7acc791e68c2bc110c613567cab4da198348f0429 3553520 apache2-dbg_2.4.29-1ubuntu4.6_i386.deb a1a9b4ea96cff538129d58d6e6be6ef5b282e0ad81eb16a262b626e3a386a976 177044 apache2-dev_2.4.29-1ubuntu4.6_i386.deb a40c7d16724e7ebe10866d25a79807243ca32c1c4fe54eac1352c375777524a6 2392 apache2-ssl-dev_2.4.29-1ubuntu4.6_i386.deb ad42225473bd37de53700c3d79d39524cd093e44a736a55c7ea8e4d8ee13ecca 15304 apache2-suexec-custom_2.4.29-1ubuntu4.6_i386.deb 9a55edb6b9ae9c05130588f1a2efc9a4b91c0bf6f7c7de89b60f998f4d25eb18 13752 apache2-suexec-pristine_2.4.29-1ubuntu4.6_i386.deb ccce9d2774694265aaa2107ac8756fe51565d3d7de19d7d34313b0bc39190bc5 87984 apache2-utils_2.4.29-1ubuntu4.6_i386.deb ea8ebaa04b420cf6131b9515b4fcf97277e99fbfa0036ffe0698b8a9085dbdbd 9862 apache2_2.4.29-1ubuntu4.6_i386.buildinfo 7ab12ecbfc8437bf969fa8d6a829bd326afcabaa89423b354fc66b995e97b71c 95092 apache2_2.4.29-1ubuntu4.6_i386.deb Files: 008d45c9fcb1ee14cc02699a5025cfad 1140648 httpd optional apache2-bin_2.4.29-1ubuntu4.6_i386.deb 5915faf100d05db9ef53fbee41da61d5 3553520 debug optional apache2-dbg_2.4.29-1ubuntu4.6_i386.deb 725fca0c234c308e25b4a25382ee282a 177044 httpd optional apache2-dev_2.4.29-1ubuntu4.6_i386.deb a148f3d6db8589c64e95076796176e48 2392 httpd optional apache2-ssl-dev_2.4.29-1ubuntu4.6_i386.deb 79633fd9ba944b20c620a70c46dccb0d 15304 httpd optional apache2-suexec-custom_2.4.29-1ubuntu4.6_i386.deb ae0facef059d93957ab2ba533e9431d2 13752 httpd optional apache2-suexec-pristine_2.4.29-1ubuntu4.6_i386.deb 18304eeb8d00d23d82fda4ff0d81f056 87984 httpd optional apache2-utils_2.4.29-1ubuntu4.6_i386.deb a5bfe616446dd5215797faf760abfdf2 9862 httpd optional apache2_2.4.29-1ubuntu4.6_i386.buildinfo b981750862c74746e6f033e0323f2880 95092 httpd optional apache2_2.4.29-1ubuntu4.6_i386.deb Original-Maintainer: Debian Apache Maintainers