svn commit: r491040 - head/security/vuxml

Jochen Neumeister joneum at FreeBSD.org
Wed Jan 23 14:37:45 UTC 2019 

Author: joneum
Date: Wed Jan 23 14:37:44 2019
New Revision: 491040
URL: https://svnweb.freebsd.org/changeset/ports/491040

Log:
  Add entry for www/apache24
  
  Sponsored by:	Netzkommune GmbH

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Jan 23 14:25:24 2019	(r491039)
+++ head/security/vuxml/vuln.xml	Wed Jan 23 14:37:44 2019	(r491040)
@@ -58,6 +58,46 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="eb888ce5-1f19-11e9-be05-4c72b94353b5">
+    <topic>Apache -- vulnerability</topic>
+    <affects>
+      <package>
+	<name>apache24</name>
+	<range><lt>2.4.38</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Apache httpd Project reports:</p>
+	<blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html">
+	  <p>SECURITY: CVE-2018-17199
+	    mod_session: mod_session_cookie does not respect expiry time allowing
+	    sessions to be reused.</p>
+	  <p>SECURITY: CVE-2019-0190
+	    mod_ssl: Fix infinite loop triggered by a client-initiated
+	    renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
+	    later.  PR 63052.</p>
+	  <p>SECURITY: CVE-2018-17189
+	    mod_http2: fixes a DoS attack vector. By sending slow request bodies
+	    to resources not consuming them, httpd cleanup code occupies a server
+	    thread unnecessarily. This was changed to an immediate stream reset
+	    which discards all stream state and incoming data.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.apache.org/dist/httpd/CHANGES_2.4.38</url>
+      <url>http://httpd.apache.org/security/vulnerabilities_24.html</url>
+	<cvename>CVE-2018-17199</cvename>
+	<cvename>CVE-2018-17189</cvename>
+	<cvename>CVE-2019-0190</cvename>
+    </references>
+    <dates>
+      <discovery>2019-01-22</discovery>
+      <entry>2019-01-23</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="4af3241d-1f0c-11e9-b4bd-d43d7eed0ce2">
     <topic>www/mod_dav_svn -- Malicious SVN clients can crash mod_dav_svn.</topic>
     <affects>

More information about the svn-ports-head mailing list