Format: 1.8 Date: Mon, 26 Aug 2019 06:41:23 -0700 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: armhf Version: 2.4.29-1ubuntu4.10 Distribution: bionic Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Steve Beattie Description: apache2 - Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Launchpad-Bugs-Fixed: 1840188 Changes: apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium . * SECURITY UPDATE: HTTP/2 internal data buffering denial of service. - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve http/2 module keepalive throttling. - CVE-2019-9517 * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash denial of service (LP: #1840188) - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch: re-use slave connections and fix slave connection keepalives counter. - CVE-2019-0197 * SECURITY UPDATE: mod_http2 memory corruption on early pushes - included in mod_http2 1.15.4 backport - CVE-2019-10081 * SECURITY UPDATE: read-after-free in mod_http2 h2 connection shutdown. - included in mod_http2 1.15.4 backport - CVE-2019-10082 * SECURITY UPDATE: Limited cross-site scripting in mod_proxy error page. - d/p/CVE-2019-10092-1.patch: Remove request details from built-in error documents. - d/p/CVE-2019-10092-2.patch: Add missing log numbers. - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS protection. - CVE-2019-10092-1 * SECURITY UPDATE: mod_rewrite potential open redirect. - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default. - CVE-2019-10098 * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517, CVE-2019-10081, and CVE-2019-10082 fixes: - add d/p/mod_http2-1.14.1-backport-*.patches and d/p/mod_http2-1.15.4-backport-*.patches - dropped the following patches included above: + d/p/CVE-2018-1302.patch + d/p/CVE-2018-1333.patch + d/p/CVE-2018-11763.patch + d/p/CVE-2018-17189.patch + d/p/CVE-2019-0196.patch Checksums-Sha1: 32f83385c23e9268700d587fafd34ba9ccfb8099 933424 apache2-bin_2.4.29-1ubuntu4.10_armhf.deb 22436f383162776d87ad2c22aa043b7cbcd84703 3916104 apache2-dbg_2.4.29-1ubuntu4.10_armhf.deb 5e636fd8475a0e95033f1937363f99afc6169ca7 177468 apache2-dev_2.4.29-1ubuntu4.10_armhf.deb c168fb65da5968a03229f9bcaeba96e693e31895 2400 apache2-ssl-dev_2.4.29-1ubuntu4.10_armhf.deb e71cf8fe66308bda4216ed77beedce9a530e84dc 14544 apache2-suexec-custom_2.4.29-1ubuntu4.10_armhf.deb a9b5c3ca8f46fcc4e7b61afac67cff8fd3017789 13080 apache2-suexec-pristine_2.4.29-1ubuntu4.10_armhf.deb bb361a2b677cd7942ba868dd7b11b768da6a64a8 83676 apache2-utils_2.4.29-1ubuntu4.10_armhf.deb c79e3b875486cd398c9eca0524d5100cc133b7e1 10031 apache2_2.4.29-1ubuntu4.10_armhf.buildinfo c7e46211c0c6e9451b5ffbdb062d4914b01939ea 95116 apache2_2.4.29-1ubuntu4.10_armhf.deb Checksums-Sha256: 08c49088752f86f7b960d2c6c17a78da7472252bb17c10c50acb72d94153d34e 933424 apache2-bin_2.4.29-1ubuntu4.10_armhf.deb 2f118ee0922f2954a4605db63dbcc46fa0636463d8a44e16f8c303a492e4d88c 3916104 apache2-dbg_2.4.29-1ubuntu4.10_armhf.deb df96560258784c00599c79f5950a341567852ead0c0709f95a4819e01efae5ef 177468 apache2-dev_2.4.29-1ubuntu4.10_armhf.deb c6709f767508b8e87fcd87ee41bb011b0b2aa82038cdf22df405ae5c41162ffd 2400 apache2-ssl-dev_2.4.29-1ubuntu4.10_armhf.deb 005e3e66e9523d6150ce8a4ecf5d08cbfba3688c9683c73cb122b2010ccc1681 14544 apache2-suexec-custom_2.4.29-1ubuntu4.10_armhf.deb 77e1338c94f8f3f3609a8208efa37de8d81d2c3a5d85569ffc143360574a4b9a 13080 apache2-suexec-pristine_2.4.29-1ubuntu4.10_armhf.deb 5406f5870c74b4e9cc2f8c11ab6e0dc091cef827dcde028c7b172b0ad14e5e6d 83676 apache2-utils_2.4.29-1ubuntu4.10_armhf.deb 5b84c5e72815f3269aef15455463fde687839be5e2311b21b0938045674e533a 10031 apache2_2.4.29-1ubuntu4.10_armhf.buildinfo 52d37e363754ea98ace163c548d33668963bf42aa72bde3b3da519ad5a878928 95116 apache2_2.4.29-1ubuntu4.10_armhf.deb Files: a5f0264adf96a5a423dae28ac836ba86 933424 httpd optional apache2-bin_2.4.29-1ubuntu4.10_armhf.deb 4fd7dee8b9b3df0c7c694bdb28f1d3b5 3916104 debug optional apache2-dbg_2.4.29-1ubuntu4.10_armhf.deb 0aaea6f57ebb11404d83fd49d8d62d9a 177468 httpd optional apache2-dev_2.4.29-1ubuntu4.10_armhf.deb d0d5ae948b86b60356a632348733797f 2400 httpd optional apache2-ssl-dev_2.4.29-1ubuntu4.10_armhf.deb eaab5b2731495e197356aee08e74f8c0 14544 httpd optional apache2-suexec-custom_2.4.29-1ubuntu4.10_armhf.deb 430f1a17b9f533c030f36c88d30dbcce 13080 httpd optional apache2-suexec-pristine_2.4.29-1ubuntu4.10_armhf.deb f7e7cbcc66e2dda53e6217d37a25025b 83676 httpd optional apache2-utils_2.4.29-1ubuntu4.10_armhf.deb 05e70ad618cd55e8f6c01fcaa3ba2e86 10031 httpd optional apache2_2.4.29-1ubuntu4.10_armhf.buildinfo 20d220a478fb995ed19cfcf79ba54d75 95116 httpd optional apache2_2.4.29-1ubuntu4.10_armhf.deb Original-Maintainer: Debian Apache Maintainers