Format: 1.8 Date: Mon, 26 Aug 2019 06:41:23 -0700 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: amd64 all Version: 2.4.29-1ubuntu4.10 Distribution: bionic Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Steve Beattie Description: apache2 - Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Launchpad-Bugs-Fixed: 1840188 Changes: apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium . * SECURITY UPDATE: HTTP/2 internal data buffering denial of service. - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve http/2 module keepalive throttling. - CVE-2019-9517 * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash denial of service (LP: #1840188) - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch: re-use slave connections and fix slave connection keepalives counter. - CVE-2019-0197 * SECURITY UPDATE: mod_http2 memory corruption on early pushes - included in mod_http2 1.15.4 backport - CVE-2019-10081 * SECURITY UPDATE: read-after-free in mod_http2 h2 connection shutdown. - included in mod_http2 1.15.4 backport - CVE-2019-10082 * SECURITY UPDATE: Limited cross-site scripting in mod_proxy error page. - d/p/CVE-2019-10092-1.patch: Remove request details from built-in error documents. - d/p/CVE-2019-10092-2.patch: Add missing log numbers. - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS protection. - CVE-2019-10092-1 * SECURITY UPDATE: mod_rewrite potential open redirect. - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default. - CVE-2019-10098 * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517, CVE-2019-10081, and CVE-2019-10082 fixes: - add d/p/mod_http2-1.14.1-backport-*.patches and d/p/mod_http2-1.15.4-backport-*.patches - dropped the following patches included above: + d/p/CVE-2018-1302.patch + d/p/CVE-2018-1333.patch + d/p/CVE-2018-11763.patch + d/p/CVE-2018-17189.patch + d/p/CVE-2019-0196.patch Checksums-Sha1: 977159479c69c3ddb9e42481ec853b4bbce235c4 1070672 apache2-bin_2.4.29-1ubuntu4.10_amd64.deb 80bcf1ec6517b5e988593e17ba66efa8755f8ae2 159980 apache2-data_2.4.29-1ubuntu4.10_all.deb 5d00759e9c927a03242567938ad869ff6759f674 3960048 apache2-dbg_2.4.29-1ubuntu4.10_amd64.deb 39364469d0a07c9081d3dfcd2e731d480fcc8e44 177460 apache2-dev_2.4.29-1ubuntu4.10_amd64.deb f7b29b3c17df6f74fe1cc4cbb6b61ab8c45794d8 3698064 apache2-doc_2.4.29-1ubuntu4.10_all.deb 0819112d9dd43c3c0e24b3f357800f6fc49e5127 2400 apache2-ssl-dev_2.4.29-1ubuntu4.10_amd64.deb 2a3dfafe0d5f806c4261520932974992134b7526 15388 apache2-suexec-custom_2.4.29-1ubuntu4.10_amd64.deb 8b8379282544a0d7c629e77e6f204268a02e6713 13888 apache2-suexec-pristine_2.4.29-1ubuntu4.10_amd64.deb 28784efe9bbab4926507ba528cdfb164ab2c3f8b 83876 apache2-utils_2.4.29-1ubuntu4.10_amd64.deb 0bf8e71ba54b28585188a9fdd33cec45f88767c5 10793 apache2_2.4.29-1ubuntu4.10_amd64.buildinfo 029435874e6561a58d898de4cc97c8e49c0d3777 95116 apache2_2.4.29-1ubuntu4.10_amd64.deb Checksums-Sha256: cc1801403298755f68541422cd37b69c98305396fa7a696b89edbe2499967605 1070672 apache2-bin_2.4.29-1ubuntu4.10_amd64.deb b996731e49acd01a518000738c756ce5cb448d7c8b0e0f1cf394ed87ed11a825 159980 apache2-data_2.4.29-1ubuntu4.10_all.deb c1379443858964a166a0001e78bbaea5a4943105c9f5a51d36a71465aee15837 3960048 apache2-dbg_2.4.29-1ubuntu4.10_amd64.deb cda745b89fb522ee0d785fa23262e36a943cc14a9b86a1e84ff577fdad6f215e 177460 apache2-dev_2.4.29-1ubuntu4.10_amd64.deb 0a6f67e38284c3657e91466dd3e72f3ce6023da4e9ea91919912ad1d6a2f46de 3698064 apache2-doc_2.4.29-1ubuntu4.10_all.deb f5d9c3d5b830bf0db2bd63f83101a3d97c84dbdeba5103950c76eec352d1a8b9 2400 apache2-ssl-dev_2.4.29-1ubuntu4.10_amd64.deb ba72822ddb32c8185423ccd7022770a753fcb10660b5e4183e40c82201815798 15388 apache2-suexec-custom_2.4.29-1ubuntu4.10_amd64.deb edc0cac6f446115a4de3723a21a8016e5b49bb6b6ecba0a4a7582cf7d12505ce 13888 apache2-suexec-pristine_2.4.29-1ubuntu4.10_amd64.deb 5c72d6861b63bfc707f4c2dd86473016ae390f41e550dc641a6537741e4a8567 83876 apache2-utils_2.4.29-1ubuntu4.10_amd64.deb af98c3ffacb34950ecda9eb0493d6b02e9bae419d356f9b71278fc6b6cf9df11 10793 apache2_2.4.29-1ubuntu4.10_amd64.buildinfo a391c272538c4ae9fe79f6d2c672b811bac7f4f815c8d716d3c95822ce45a09b 95116 apache2_2.4.29-1ubuntu4.10_amd64.deb Files: 01bf2c81a1b7f4e20d17d66f0a253006 1070672 httpd optional apache2-bin_2.4.29-1ubuntu4.10_amd64.deb 50552ff41a6ebe8732c87744c866a495 159980 httpd optional apache2-data_2.4.29-1ubuntu4.10_all.deb 8aebca93c63a9a951574d7a5a5e5deb1 3960048 debug optional apache2-dbg_2.4.29-1ubuntu4.10_amd64.deb 57367958f887af0f64cb842358cd44e4 177460 httpd optional apache2-dev_2.4.29-1ubuntu4.10_amd64.deb 1da11638ff584468b674f363cfe78818 3698064 doc optional apache2-doc_2.4.29-1ubuntu4.10_all.deb 2d76ff1b7402154e6dce1b870312cf84 2400 httpd optional apache2-ssl-dev_2.4.29-1ubuntu4.10_amd64.deb c4f4929b8fa2caf71902936de4087e8d 15388 httpd optional apache2-suexec-custom_2.4.29-1ubuntu4.10_amd64.deb 144296baf2289f35c4f1d1a3c7e3661c 13888 httpd optional apache2-suexec-pristine_2.4.29-1ubuntu4.10_amd64.deb 525b859fec79e08e598d5c5b6cc2c242 83876 httpd optional apache2-utils_2.4.29-1ubuntu4.10_amd64.deb a528a8ba2d86d10003ad02080fd5b039 10793 httpd optional apache2_2.4.29-1ubuntu4.10_amd64.buildinfo 3e6a4e5a8f87fc77c0b4e735eb00e531 95116 httpd optional apache2_2.4.29-1ubuntu4.10_amd64.deb Original-Maintainer: Debian Apache Maintainers