-
Wed Nov 10 2021 David Kubat <david.kubat@oracle.com> - 2.4.6-97.0.3.2
- mod_session: save one apr_strtok() [Orabug: 33338149][CVE-2021-26690]
- replace index.html with Oracle's index page oracle_index.html
-
Mon Oct 25 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.2
- Resolves: #2015694 - proxy rewrite to unix socket fails with CVE-2021-40438 fix
-
Thu Oct 07 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.1
- Resolves: #2011729 - CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted
request uri-path containing "unix:"
-
Wed Oct 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-97
- Resolves: #1852350 - httpd/mod_proxy_http/mod_ssl aborted when sending
a client cert to backend server
- Resolves: #1785100 - mod_cgid takes CGIDScriptTimeout x 2 seconds for timeout
- Resolves: #1862499 - Intermittent Segfault in Apache httpd due to pool
concurrency issues
-
Fri Apr 17 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-95
- Resolves: #1823262 - CVE-2020-1934 httpd: mod_proxy_ftp use of uninitialized
value
-
Thu Mar 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-94
- Resolves: #1565491 - CVE-2017-15715 httpd: <FilesMatch> bypass with a trailing
newline in the file name
- Resolves: #1747283 - CVE-2019-10098 httpd: mod_rewrite potential open redirect
- Resolves: #1724879 - httpd terminates all SSL connections using an abortive
shutdown
- Resolves: #1715981 - Backport of SessionExpiryUpdateInterval directive
- Resolves: #1565457 - CVE-2018-1303 httpd: Out of bounds read in
mod_cache_socache can allow a remote attacker to cause a denial of service
- Resolves: #1566531 - CVE-2018-1283 httpd: Improper handling of headers in
mod_session can allow a remote user to modify session data for CGI applications
-
Tue Oct 08 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-93
- Resolves: #1677496 - CVE-2018-17199 httpd: mod_session_cookie does not respect
expiry time
-
Thu Aug 22 2019 Joe Orton <jorton@redhat.com> - 2.4.6-92
- htpasswd: add SHA-2 crypt() support (#1486889)
-
Wed Jul 31 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-91
- Resolves: #1630886 - scriptlet can fail if hostname is not installed
- Resolves: #1565465 - CVE-2017-15710 httpd: Out of bound write in
mod_authnz_ldap when using too small Accept-Language values
- Resolves: #1568298 - CVE-2018-1301 httpd: Out of bounds access after
failure in reading the HTTP request
- Resolves: #1673457 - Apache child process crashes because ScriptAliasMatch
directive
- Resolves: #1633152 - mod_session missing apr-util-openssl
- Resolves: #1649470 - httpd response contains garbage in Content-Type header
- Resolves: #1724034 - Unexpected OCSP in proxy SSL connection
-
Sat Jun 08 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-90
- Resolves: #1566317 - CVE-2018-1312 httpd: Weak Digest auth nonce generation
in mod_auth_digest
- Resolves: #1696141 - CVE-2019-0217 httpd: mod_auth_digest: access control
bypass due to race condition
- Resolves: #1696096 - CVE-2019-0220 httpd: URL normalization inconsistency