rtime.felk.cvut.cz Git - coffee/buildroot.git/commit

author	Bernd Kuhls <bernd.kuhls@t-online.de>
	Tue, 11 Jul 2017 18:25:26 +0000 (20:25 +0200)
committer	Peter Korsgaard <peter@korsgaard.com>
	Wed, 19 Jul 2017 14:06:41 +0000 (16:06 +0200)
commit	e233dc7e0bc59c3fc78ff02bac9b261126e2696c
tree	1b63262afc4ac0ae2733df2bc9e95011e56fe6fa	tree \| snapshot
parent	6e23252d6389c277a6238c1f262d6fef5073e272	commit \| diff

package/apache: security bump to version 2.4.27

Fixes the following security issues:

CVE-2017-9788 - Uninitialized memory reflection in mod_auth_digest

The value placeholder in [Proxy-]Authorization headers of type 'Digest' was
not initialized or reset before or between successive key=value assignments.
by mod_auth_digest.

Providing an initial key with no '=' assignment could reflect the stale
value of uninitialized pool memory used by the prior request, leading to
leakage of potentially confidential information, and a segfault.

CVE-2017-9789 - Read after free in mod_http2

When under stress, closing many connections, the HTTP/2 handling code would
sometimes access memory after it has been freed, resulting in potentially
erratic behaviour.

Announcement: http://www.apache.org/dist/httpd/Announcement2.4.html
Release notes: http://www.apache.org/dist/httpd/CHANGES_2.4.27

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cf9b7cedac14de7cf5650589bf4c37635b5438a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/apache/apache.hash		diff \| blob \| history
package/apache/apache.mk		diff \| blob \| history