Hi,
Shouldn't CVE-2019-10097 be listed under 2.4.41, too?
Cheers,
Stefan
--- httpd/httpd/branches/2.4.x/CHANGES 2019/08/14 20:43:00 1865188
+++ httpd/httpd/branches/2.4.x/CHANGES 2019/08/14 20:52:45 1865189
@@ -1,8 +1,39 @@
-*- coding:
utf-8 -*-
Changes with Apache 2.4.42
+ *) SECURITY: CVE-2019-10097 (cve.mitre.org)
+ mod_remoteip: Fix stack buffer overflow and NULL pointer deference
+ when reading the PROXY protocol header. [Joe Orton,
+ Daniel McCarney <cpu letsencrypt.org>]
+
Changes with Apache 2.4.41
+ *) SECURITY: CVE-2019-9517 (cve.mitre.org)
+ mod_http2: a malicious client could perform a DoS attack by flooding
+ a connection with requests and basically never reading responses
+ on the TCP connection. Depending on h2 worker dimensioning, it was
+ possible to block those with relatively few connections.
[Stefan Eissing]
+
