LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora alert FEDORA-2013-13922 (httpd)



From:
    	      updates@fedoraproject.org 


To:
    	      package-announce@lists.fedoraproject.org 


Subject:
    	      [SECURITY] Fedora 18 Update: httpd-2.4.6-2.fc18 


Date:
    	      Fri, 16 Aug 2013 23:03:32 +0000


Message-ID:
    	      <20130816230332.DB97321742@bastion01.phx2.fedoraproject.org>


Archive-link:
    	      Article, Thread
              


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-13922
2013-08-02 02:09:37
--------------------------------------------------------------------------------

Name        : httpd
Product     : Fedora 18
Version     : 2.4.6
Release     : 2.fc18
URL         : http://httpd.apache.org/
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

--------------------------------------------------------------------------------
Update Information:

This update contains the latest release of the Apache HTTP Server, version 2.4.6.

Two security issues are resolved in this update:

- mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn could trigger a segfault.
(CVE-2013-1896)

- mod_session_dbd: Make sure that dirty flag is respected when saving. This changes the format of
the updatesession SQL statement. Existing configurations must be changed. (CVE-2013-2249)

Numerous bug fixes and minor enhancements are also included; for more information see:

http://www.apache.org/dist/httpd/CHANGES_2.4.6
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 31 2013 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-2
- revert fix for dumping vhosts twice
* Mon Jul 22 2013 Joe Orton <jorton@redhat.com> - 2.4.6-1
- update to 2.4.6
- mod_ssl: use revised NPN API (r1487772)
* Thu Jul 11 2013 Jan Kaluza <jkaluza@redhat.com> - 2.4.4-12
- mod_unique_id: replace use of hostname + pid with PRNG output (#976666)
- apxs: mention -p option in manpage
* Tue Jul  2 2013 Joe Orton <jorton@redhat.com> - 2.4.4-11
- add patch for aarch64 (Dennis Gilmore, #925558)
* Mon Jul  1 2013 Joe Orton <jorton@redhat.com> - 2.4.4-10
- remove duplicate apxs man page from httpd-tools
* Mon Jun 17 2013 Joe Orton <jorton@redhat.com> - 2.4.4-9
- remove zombie dbmmanage script
* Fri May 31 2013 Jan Kaluza <jkaluza@redhat.com> - 2.4.4-8
- return 400 Bad Request on malformed Host header
* Fri May 17 2013 Jan Kaluza <jkaluza@redhat.com> - 2.4.4-3
- fix service file to not send SIGTERM after ExecStop (#906321, #912288)
- execute systemctl reload as result of apachectl graceful
- htpasswd/htdbm: fix hash generation bug (#956344)
- do not dump vhosts twice in httpd -S output (#928761)
- mod_cache: fix potential crash caused by uninitialized variable (#954109)
* Tue Feb 26 2013 Joe Orton <jorton@redhat.com> - 2.4.4-2
- really package mod_auth_form in mod_session (#915438)
* Tue Feb 26 2013 Joe Orton <jorton@redhat.com> - 2.4.4-1
- update to 2.4.4
- fix duplicate ownership of mod_session config (#914901)
* Fri Feb 22 2013 Joe Orton <jorton@redhat.com> - 2.4.3-17
- add mod_session subpackage, move mod_auth_form there (#894500)
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.3-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Tue Jan  8 2013 Joe Orton <jorton@redhat.com> - 2.4.3-15
- add systemd service for htcacheclean
* Tue Nov 13 2012 Joe Orton <jorton@redhat.com> - 2.4.3-14
- drop patch for r1344712
* Tue Nov 13 2012 Joe Orton <jorton@redhat.com> - 2.4.3-13
- filter mod_*.so auto-provides (thanks to rcollet)
- pull in syslog logging fix from upstream (r1344712)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #983549 - CVE-2013-1896 httpd: mod_dav DoS (httpd child process crash) via a URI MERGE
request with source URI not handled by mod_dav
        https://bugzilla.redhat.com/show_bug.cgi?id=983549
  [ 2 ] Bug #987543 - CVE-2013-2249 httpd: mod_session_dbd session fixation flaw
        https://bugzilla.redhat.com/show_bug.cgi?id=987543
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update httpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds