Format: 1.8 Date: Mon, 26 Aug 2019 06:41:23 -0700 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: ppc64el Version: 2.4.29-1ubuntu4.10 Distribution: bionic Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Steve Beattie Description: apache2 - Apache HTTP Server apache2-bin - Apache HTTP Server (modules and other binary files) apache2-data - Apache HTTP Server (common files) apache2-dbg - Apache debugging symbols apache2-dev - Apache HTTP Server (development headers) apache2-doc - Apache HTTP Server (on-site documentation) apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec apache2-utils - Apache HTTP Server (utility programs for web servers) Launchpad-Bugs-Fixed: 1840188 Changes: apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium . * SECURITY UPDATE: HTTP/2 internal data buffering denial of service. - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve http/2 module keepalive throttling. - CVE-2019-9517 * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash denial of service (LP: #1840188) - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch: re-use slave connections and fix slave connection keepalives counter. - CVE-2019-0197 * SECURITY UPDATE: mod_http2 memory corruption on early pushes - included in mod_http2 1.15.4 backport - CVE-2019-10081 * SECURITY UPDATE: read-after-free in mod_http2 h2 connection shutdown. - included in mod_http2 1.15.4 backport - CVE-2019-10082 * SECURITY UPDATE: Limited cross-site scripting in mod_proxy error page. - d/p/CVE-2019-10092-1.patch: Remove request details from built-in error documents. - d/p/CVE-2019-10092-2.patch: Add missing log numbers. - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS protection. - CVE-2019-10092-1 * SECURITY UPDATE: mod_rewrite potential open redirect. - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default. - CVE-2019-10098 * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517, CVE-2019-10081, and CVE-2019-10082 fixes: - add d/p/mod_http2-1.14.1-backport-*.patches and d/p/mod_http2-1.15.4-backport-*.patches - dropped the following patches included above: + d/p/CVE-2018-1302.patch + d/p/CVE-2018-1333.patch + d/p/CVE-2018-11763.patch + d/p/CVE-2018-17189.patch + d/p/CVE-2019-0196.patch Checksums-Sha1: 4b87718f6918b8b701b5ecd8b062a2757731cc2a 1096440 apache2-bin_2.4.29-1ubuntu4.10_ppc64el.deb c0e82d01d5c1553ce314f5d4ec02ca44386569de 4448072 apache2-dbg_2.4.29-1ubuntu4.10_ppc64el.deb 21a47396ce7f682be04f5acfe357ad479fd93459 177472 apache2-dev_2.4.29-1ubuntu4.10_ppc64el.deb da77269200b26cc2423fee1f9a23acfa0cd6d29a 2400 apache2-ssl-dev_2.4.29-1ubuntu4.10_ppc64el.deb d1fd86c72e90e36d9eda9c5116e81d15958622ad 15188 apache2-suexec-custom_2.4.29-1ubuntu4.10_ppc64el.deb 33faed15a704cc9691912ff3afcd89f33cc49acb 13676 apache2-suexec-pristine_2.4.29-1ubuntu4.10_ppc64el.deb bc77c37d39aee87dd024dba51708febe54f18c29 84972 apache2-utils_2.4.29-1ubuntu4.10_ppc64el.deb 6c9b915ef6b35306ed2df867c1f9bbeccbb3cb5a 10160 apache2_2.4.29-1ubuntu4.10_ppc64el.buildinfo d9467a865d4c3b7d358a4c9e73aa115f7629c31e 95124 apache2_2.4.29-1ubuntu4.10_ppc64el.deb Checksums-Sha256: 5289edee0374167e968d51b6c91fab4e2b2f7efde39e0c9398eae6f23a3180ac 1096440 apache2-bin_2.4.29-1ubuntu4.10_ppc64el.deb 1951ac774ea46e1f2ae83ff90a8d49df00ccc6a45b86752ace4c66be87f19301 4448072 apache2-dbg_2.4.29-1ubuntu4.10_ppc64el.deb 6060bc79e803e883b22c0f0636505c25882e3c742bd4ee3232dcf35c5e760a0f 177472 apache2-dev_2.4.29-1ubuntu4.10_ppc64el.deb 7ccf2c00fd50602101bc3a4be651b4108c09315df2c7a92c32455b107030a8e6 2400 apache2-ssl-dev_2.4.29-1ubuntu4.10_ppc64el.deb 5f22ac05a30dc4608fe574cab121c9ad2136d9e7b5f22ff6a4e571546c0c4f72 15188 apache2-suexec-custom_2.4.29-1ubuntu4.10_ppc64el.deb 6215940a9c443098aa4ff8abcf7d34afd4712c4c9e59fa9d6d497bc21931f45e 13676 apache2-suexec-pristine_2.4.29-1ubuntu4.10_ppc64el.deb 33cf10744182be8f189c86d9bb27194624885ff04070cc0d31c9856a6b11d599 84972 apache2-utils_2.4.29-1ubuntu4.10_ppc64el.deb 2d0a6077963345c301e5c4ca63b72e3bf3ff8310a8170b06a698cf90b3a83fab 10160 apache2_2.4.29-1ubuntu4.10_ppc64el.buildinfo ee74530a8dff15f75afb379a5ad8f4ac06d69f918eda006534513bf58c0d1395 95124 apache2_2.4.29-1ubuntu4.10_ppc64el.deb Files: 5433fb646c0ea7a640a89117c2faad89 1096440 httpd optional apache2-bin_2.4.29-1ubuntu4.10_ppc64el.deb 2228dd21157f344c8bb1b11bcf829905 4448072 debug optional apache2-dbg_2.4.29-1ubuntu4.10_ppc64el.deb 2cf35b06149ee3d768129a1d89854641 177472 httpd optional apache2-dev_2.4.29-1ubuntu4.10_ppc64el.deb fa3aef051e0554bac3dfa9fd4b81fdec 2400 httpd optional apache2-ssl-dev_2.4.29-1ubuntu4.10_ppc64el.deb d204a1bc9a0d1f94bd32c031a790b577 15188 httpd optional apache2-suexec-custom_2.4.29-1ubuntu4.10_ppc64el.deb 97e8dda6fb647951d81f1901218a5c81 13676 httpd optional apache2-suexec-pristine_2.4.29-1ubuntu4.10_ppc64el.deb 831d0a0df4d813b6a66e32d5bd055732 84972 httpd optional apache2-utils_2.4.29-1ubuntu4.10_ppc64el.deb 65129932dd03b3445e486da220c0efdb 10160 httpd optional apache2_2.4.29-1ubuntu4.10_ppc64el.buildinfo 8654dfabb06ca17e3158dbc60fa9adb9 95124 httpd optional apache2_2.4.29-1ubuntu4.10_ppc64el.deb Original-Maintainer: Debian Apache Maintainers