--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package apache2, it fixes various security issues (no
other changes).
Debdiff is attached
unblock apache2/2.4.38-3
diff -Nru apache2-2.4.38/debian/changelog apache2-2.4.38/debian/changelog
--- apache2-2.4.38/debian/changelog 2019-01-31 21:54:05.000000000 +0100
+++ apache2-2.4.38/debian/changelog 2019-04-07 20:15:40.000000000 +0200
@@ -1,3 +1,40 @@
+apache2 (2.4.38-3) unstable; urgency=high
+
+ [ Marc Deslauriers ]
+ * SECURITY UPDATE: read-after-free on a string compare in mod_http2
+ - debian/patches/CVE-2019-0196.patch: disentangelment of stream and
+ request method in modules/http2/h2_request.c.
+ - CVE-2019-0196
+ * SECURITY UPDATE: privilege escalation from modules' scripts
+ - debian/patches/CVE-2019-0211.patch: bind the bucket number of each
+ child to its slot number in include/scoreboard.h,
+ server/mpm/event/event.c, server/mpm/prefork/prefork.c,
+ server/mpm/worker/worker.c.
+ - CVE-2019-0211
+ * SECURITY UPDATE: mod_ssl access control bypass
+ - debian/patches/CVE-2019-0215.patch: restore SSL verify state after
+ PHA failure in TLSv1.3 in modules/ssl/ssl_engine_kernel.c.
+ - CVE-2019-0215
+ * SECURITY UPDATE: mod_auth_digest access control bypass
+ - debian/patches/CVE-2019-0217.patch: fix a race condition in
+ modules/aaa/mod_auth_digest.c.
+ - CVE-2019-0217
+ * SECURITY UPDATE: URL normalization inconsistincy
+ - debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
+ the path in include/http_core.h, include/httpd.h, server/core.c,
+ server/request.c, server/util.c.
+ - debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
+ in server/request.c, server/util.c.
+ - debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
+ server/util.c.
+ - CVE-2019-0220
+
+ [ Stefan Fritsch ]
+ * Pull security fixes from 2.4.39 via Ubuntu
+ * CVE-2019-0197: mod_http2: Fix possible crash on late upgrade
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 07 Apr 2019 20:15:40 +0200
+
apache2 (2.4.38-2) unstable; urgency=medium
* Disable "reset" test in allowmethods.t (Closes: #921024)
diff -Nru apache2-2.4.38/debian/patches/CVE-2019-0196.patch apache2-2.4.38/debian/patches/CVE-2019-0196.patch
--- apache2-2.4.38/debian/patches/CVE-2019-0196.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.38/debian/patches/CVE-2019-0196.patch 2019-04-07 19:37:55.000000000 +0200
@@ -0,0 +1,27 @@
+From 8de3c6f2a0df79d1476c89ec480a96f9282cea28 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Tue, 5 Feb 2019 11:52:28 +0000
+Subject: [PATCH] Merge of r1852986 from trunk:
+
+mod_http2: disentangelment of stream and request method.
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1852989 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/http2/h2_request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/http2/h2_request.c b/modules/http2/h2_request.c
+index 8899c4feb75..5ee88e9679f 100644
+--- a/modules/http2/h2_request.c
++++ b/modules/http2/h2_request.c
+@@ -266,7 +266,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c)
+
+ /* Time to populate r with the data we have. */
+ r->request_time = req->request_time;
+- r->method = req->method;
++ r->method = apr_pstrdup(r->pool, req->method);
+ /* Provide quick information about the request method as soon as known */
+ r->method_number = ap_method_number_of(r->method);
+ if (r->method_number == M_GET && r->method[0] == 'H') {
diff -Nru apache2-2.4.38/debian/patches/CVE-2019-0197.patch apache2-2.4.38/debian/patches/CVE-2019-0197.patch
--- apache2-2.4.38/debian/patches/CVE-2019-0197.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.38/debian/patches/CVE-2019-0197.patch 2019-04-07 19:49:17.000000000 +0200
@@ -0,0 +1,93 @@
+# https://svn.apache.org/r1855406
+--- apache2.orig/modules/http2/h2_conn.c
++++ apache2/modules/http2/h2_conn.c
+@@ -305,6 +305,10 @@ conn_rec *h2_slave_create(conn_rec *mast
+ c->notes = apr_table_make(pool, 5);
+ c->input_filters = NULL;
+ c->output_filters = NULL;
++ c->keepalives = 0;
++#if AP_MODULE_MAGIC_AT_LEAST(20180903, 1)
++ c->filter_conn_ctx = NULL;
++#endif
+ c->bucket_alloc = apr_bucket_alloc_create(pool);
+ c->data_in_input_filters = 0;
+ c->data_in_output_filters = 0;
+@@ -332,16 +336,15 @@ conn_rec *h2_slave_create(conn_rec *mast
+ ap_set_module_config(c->conn_config, mpm, cfg);
+ }
+
+- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+- "h2_stream(%ld-%d): created slave", master->id, slave_id);
++ ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
++ "h2_slave(%s): created", c->log_id);
+ return c;
+ }
+
+ void h2_slave_destroy(conn_rec *slave)
+ {
+- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, slave,
+- "h2_stream(%s): destroy slave",
+- apr_table_get(slave->notes, H2_TASK_ID_NOTE));
++ ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, slave,
++ "h2_slave(%s): destroy", slave->log_id);
+ slave->sbh = NULL;
+ apr_pool_destroy(slave->pool);
+ }
+@@ -365,6 +368,7 @@ apr_status_t h2_slave_run_pre_connection
+ slave->keepalive = AP_CONN_CLOSE;
+ return ap_run_pre_connection(slave, csd);
+ }
++ ap_assert(slave->output_filters);
+ return APR_SUCCESS;
+ }
+
+--- apache2.orig/modules/http2/h2_mplx.c
++++ apache2/modules/http2/h2_mplx.c
+@@ -327,7 +327,8 @@ static int stream_destroy_iter(void *ctx
+ && !task->rst_error);
+ }
+
+- if (reuse_slave && slave->keepalive == AP_CONN_KEEPALIVE) {
++ task->c = NULL;
++ if (reuse_slave) {
+ h2_beam_log(task->output.beam, m->c, APLOG_DEBUG,
+ APLOGNO(03385) "h2_task_destroy, reuse slave");
+ h2_task_destroy(task);
+@@ -437,6 +438,8 @@ void h2_mplx_release_and_join(h2_mplx *m
+ apr_status_t status;
+ int i, wait_secs = 60;
+
++ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c,
++ "h2_mplx(%ld): start release", m->id);
+ /* How to shut down a h2 connection:
+ * 0. abort and tell the workers that no more tasks will come from us */
+ m->aborted = 1;
+@@ -977,6 +980,9 @@ static apr_status_t unschedule_slow_task
+ */
+ n = (m->tasks_active - m->limit_active - (int)h2_ihash_count(m->sredo));
+ while (n > 0 && (stream = get_latest_repeatable_unsubmitted_stream(m))) {
++ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c,
++ "h2_mplx(%s): unschedule, resetting task for redo later",
++ stream->task->id);
+ h2_task_rst(stream->task, H2_ERR_CANCEL);
+ h2_ihash_add(m->sredo, stream);
+ --n;
+--- apache2.orig/modules/http2/h2_task.c
++++ apache2/modules/http2/h2_task.c
+@@ -504,7 +504,7 @@ static int h2_task_pre_conn(conn_rec* c,
+ (void)arg;
+ if (h2_ctx_is_task(ctx)) {
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+- "h2_h2, pre_connection, found stream task");
++ "h2_slave(%s), pre_connection, adding filters", c->log_id);
+ ap_add_input_filter("H2_SLAVE_IN", NULL, NULL, c);
+ ap_add_output_filter("H2_PARSE_H1", NULL, NULL, c);
+ ap_add_output_filter("H2_SLAVE_OUT", NULL, NULL, c);
+@@ -545,7 +545,6 @@ h2_task *h2_task_create(conn_rec *slave,
+ void h2_task_destroy(h2_task *task)
+ {
+ if (task->output.beam) {
+- h2_beam_log(task->output.beam, task->c, APLOG_TRACE2, "task_destroy");
+ h2_beam_destroy(task->output.beam);
+ task->output.beam = NULL;
+ }
diff -Nru apache2-2.4.38/debian/patches/CVE-2019-0211.patch apache2-2.4.38/debian/patches/CVE-2019-0211.patch
--- apache2-2.4.38/debian/patches/CVE-2019-0211.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.38/debian/patches/CVE-2019-0211.patch 2019-04-07 19:37:55.000000000 +0200
@@ -0,0 +1,249 @@
+From df7edb5ddae609ea1fd4285f7439f0d590d97b37 Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Wed, 13 Mar 2019 08:59:54 +0000
+Subject: [PATCH] Merge r1855306 from trunk:
+
+MPMs unix: bind the bucket number of each child to its slot number
+
+We need not remember each child's bucket number in SHM for restarts, for the
+lifetime of the httpd main process the bucket number can be bound to the slot
+number such that: bucket = slot % num_buckets.
+
+This both simplifies the logic and helps children maintenance per bucket in
+threaded MPMs, where previously perform_idle_server_maintenance() could create
+or kill children processes for the buckets it was not in charge of.
+
+Submitted by: ylavic
+Reviewed by: ylavic, rpluem, jorton
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855378 13f79535-47bb-0310-9956-ffa450edef68
+---
+ CHANGES | 3 +++
+ include/scoreboard.h | 4 +++-
+ server/mpm/event/event.c | 13 ++++++++-----
+ server/mpm/prefork/prefork.c | 19 +++++++------------
+ server/mpm/worker/worker.c | 10 ++++++----
+ 5 files changed, 27 insertions(+), 22 deletions(-)
+
+#diff --git a/CHANGES b/CHANGES
+#index e79251389d5..6b560802119 100644
+#--- a/CHANGES
+#+++ b/CHANGES
+#@@ -1,6 +1,9 @@
+# -*- coding: utf-8 -*-
+# Changes with Apache 2.4.39
+#
+#+ *) MPMs unix: bind the bucket number of each child to its slot number, for a
+#+ more efficient per bucket maintenance. [Yann Ylavic]
+#+
+# *) mod_auth_digest: Fix a race condition. Authentication with valid
+# credentials could be refused in case of concurrent accesses from
+# different users. PR 63124. [Simon Kappel <simon.kappel axis.com>]
+diff --git a/include/scoreboard.h b/include/scoreboard.h
+index 9376da246b0..92d198d6de1 100644
+--- a/include/scoreboard.h
++++ b/include/scoreboard.h
+@@ -148,7 +148,9 @@ struct process_score {
+ apr_uint32_t lingering_close; /* async connections in lingering close */
+ apr_uint32_t keep_alive; /* async connections in keep alive */
+ apr_uint32_t suspended; /* connections suspended by some module */
+- int bucket; /* Listener bucket used by this child */
++ int bucket; /* Listener bucket used by this child; this field is DEPRECATED
++ * and no longer updated by the MPMs (i.e. always zero).
++ */
+ };
+
+ /* Scoreboard is now in 'local' memory, since it isn't updated once created,
+diff --git a/server/mpm/event/event.c b/server/mpm/event/event.c
+index 4cfb09c5b28..5e5af339adc 100644
+--- a/server/mpm/event/event.c
++++ b/server/mpm/event/event.c
+@@ -2696,7 +2696,6 @@ static int make_child(server_rec * s, int slot, int bucket)
+
+ ap_scoreboard_image->parent[slot].quiescing = 0;
+ ap_scoreboard_image->parent[slot].not_accepting = 0;
+- ap_scoreboard_image->parent[slot].bucket = bucket;
+ event_note_child_started(slot, pid);
+ active_daemons++;
+ retained->total_daemons++;
+@@ -2735,6 +2734,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets)
+ * that threads_per_child is always > 0 */
+ int status = SERVER_DEAD;
+ int child_threads_active = 0;
++ int bucket = i % num_buckets;
+
+ if (i >= retained->max_daemons_limit &&
+ free_length == retained->idle_spawn_rate[child_bucket]) {
+@@ -2758,7 +2758,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets)
+ */
+ if (status <= SERVER_READY && !ps->quiescing && !ps->not_accepting
+ && ps->generation == retained->mpm->my_generation
+- && ps->bucket == child_bucket)
++ && bucket == child_bucket)
+ {
+ ++idle_thread_count;
+ }
+@@ -2769,7 +2769,9 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets)
+ last_non_dead = i;
+ }
+ active_thread_count += child_threads_active;
+- if (!ps->pid && free_length < retained->idle_spawn_rate[child_bucket])
++ if (!ps->pid
++ && bucket == child_bucket
++ && free_length < retained->idle_spawn_rate[child_bucket])
+ free_slots[free_length++] = i;
+ else if (child_threads_active == threads_per_child)
+ had_healthy_child = 1;
+@@ -2962,13 +2964,14 @@ static void server_main_loop(int remaining_children_to_start, int num_buckets)
+ retained->total_daemons--;
+ if (processed_status == APEXIT_CHILDSICK) {
+ /* resource shortage, minimize the fork rate */
+- retained->idle_spawn_rate[ps->bucket] = 1;
++ retained->idle_spawn_rate[child_slot % num_buckets] = 1;
+ }
+ else if (remaining_children_to_start) {
+ /* we're still doing a 1-for-1 replacement of dead
+ * children with new children
+ */
+- make_child(ap_server_conf, child_slot, ps->bucket);
++ make_child(ap_server_conf, child_slot,
++ child_slot % num_buckets);
+ --remaining_children_to_start;
+ }
+ }
+diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c
+index 8efda72ee18..7c006257301 100644
+--- a/server/mpm/prefork/prefork.c
++++ b/server/mpm/prefork/prefork.c
+@@ -637,8 +637,9 @@ static void child_main(int child_num_arg, int child_bucket)
+ }
+
+
+-static int make_child(server_rec *s, int slot, int bucket)
++static int make_child(server_rec *s, int slot)
+ {
++ int bucket = slot % retained->mpm->num_buckets;
+ int pid;
+
+ if (slot + 1 > retained->max_daemons_limit) {
+@@ -716,7 +717,6 @@ static int make_child(server_rec *s, int slot, int bucket)
+ child_main(slot, bucket);
+ }
+
+- ap_scoreboard_image->parent[slot].bucket = bucket;
+ prefork_note_child_started(slot, pid);
+
+ return 0;
+@@ -732,7 +732,7 @@ static void startup_children(int number_to_start)
+ if (ap_scoreboard_image->servers[i][0].status != SERVER_DEAD) {
+ continue;
+ }
+- if (make_child(ap_server_conf, i, i % retained->mpm->num_buckets) < 0) {
++ if (make_child(ap_server_conf, i) < 0) {
+ break;
+ }
+ --number_to_start;
+@@ -741,8 +741,6 @@ static void startup_children(int number_to_start)
+
+ static void perform_idle_server_maintenance(apr_pool_t *p)
+ {
+- static int bucket_make_child_record = -1;
+- static int bucket_kill_child_record = -1;
+ int i;
+ int idle_count;
+ worker_score *ws;
+@@ -789,6 +787,7 @@ static void perform_idle_server_maintenance(apr_pool_t *p)
+ }
+ retained->max_daemons_limit = last_non_dead + 1;
+ if (idle_count > ap_daemons_max_free) {
++ static int bucket_kill_child_record = -1;
+ /* kill off one child... we use the pod because that'll cause it to
+ * shut down gracefully, in case it happened to pick up a request
+ * while we were counting
+@@ -819,10 +818,7 @@ static void perform_idle_server_maintenance(apr_pool_t *p)
+ idle_count, total_non_dead);
+ }
+ for (i = 0; i < free_length; ++i) {
+- bucket_make_child_record++;
+- bucket_make_child_record %= retained->mpm->num_buckets;
+- make_child(ap_server_conf, free_slots[i],
+- bucket_make_child_record);
++ make_child(ap_server_conf, free_slots[i]);
+ }
+ /* the next time around we want to spawn twice as many if this
+ * wasn't good enough, but not if we've just done a graceful
+@@ -867,7 +863,7 @@ static int prefork_run(apr_pool_t *_pconf, apr_pool_t *plog, server_rec *s)
+
+ if (one_process) {
+ AP_MONCONTROL(1);
+- make_child(ap_server_conf, 0, 0);
++ make_child(ap_server_conf, 0);
+ /* NOTREACHED */
+ ap_assert(0);
+ return !OK;
+@@ -976,8 +972,7 @@ static int prefork_run(apr_pool_t *_pconf, apr_pool_t *plog, server_rec *s)
+ /* we're still doing a 1-for-1 replacement of dead
+ * children with new children
+ */
+- make_child(ap_server_conf, child_slot,
+- ap_get_scoreboard_process(child_slot)->bucket);
++ make_child(ap_server_conf, child_slot);
+ --remaining_children_to_start;
+ }
+ #if APR_HAS_OTHER_CHILD
+diff --git a/server/mpm/worker/worker.c b/server/mpm/worker/worker.c
+index 8012fe29d8d..a92794245c5 100644
+--- a/server/mpm/worker/worker.c
++++ b/server/mpm/worker/worker.c
+@@ -1339,7 +1339,6 @@ static int make_child(server_rec *s, int slot, int bucket)
+ worker_note_child_lost_slot(slot, pid);
+ }
+ ap_scoreboard_image->parent[slot].quiescing = 0;
+- ap_scoreboard_image->parent[slot].bucket = bucket;
+ worker_note_child_started(slot, pid);
+ return 0;
+ }
+@@ -1388,6 +1387,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets)
+ int any_dead_threads = 0;
+ int all_dead_threads = 1;
+ int child_threads_active = 0;
++ int bucket = i % num_buckets;
+
+ if (i >= retained->max_daemons_limit &&
+ totally_free_length == retained->idle_spawn_rate[child_bucket]) {
+@@ -1420,7 +1420,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets)
+ if (status <= SERVER_READY &&
+ !ps->quiescing &&
+ ps->generation == retained->mpm->my_generation &&
+- ps->bucket == child_bucket) {
++ bucket == child_bucket) {
+ ++idle_thread_count;
+ }
+ if (status >= SERVER_READY && status < SERVER_GRACEFUL) {
+@@ -1430,6 +1430,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets)
+ }
+ active_thread_count += child_threads_active;
+ if (any_dead_threads
++ && bucket == child_bucket
+ && totally_free_length < retained->idle_spawn_rate[child_bucket]
+ && free_length < MAX_SPAWN_RATE / num_buckets
+ && (!ps->pid /* no process in the slot */
+@@ -1615,14 +1616,15 @@ static void server_main_loop(int remaining_children_to_start, int num_buckets)
+ ps->quiescing = 0;
+ if (processed_status == APEXIT_CHILDSICK) {
+ /* resource shortage, minimize the fork rate */
+- retained->idle_spawn_rate[ps->bucket] = 1;
++ retained->idle_spawn_rate[child_slot % num_buckets] = 1;
+ }
+ else if (remaining_children_to_start
+ && child_slot < ap_daemons_limit) {
+ /* we're still doing a 1-for-1 replacement of dead
+ * children with new children
+ */
+- make_child(ap_server_conf, child_slot, ps->bucket);
++ make_child(ap_server_conf, child_slot,
++ child_slot % num_buckets);
+ --remaining_children_to_start;
+ }
+ }
diff -Nru apache2-2.4.38/debian/patches/CVE-2019-0215.patch apache2-2.4.38/debian/patches/CVE-2019-0215.patch
--- apache2-2.4.38/debian/patches/CVE-2019-0215.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.38/debian/patches/CVE-2019-0215.patch 2019-04-07 19:37:55.000000000 +0200
@@ -0,0 +1,52 @@
+From 84edf5f49db23ced03259812bbf9426685f7d82a Mon Sep 17 00:00:00 2001
+From: Joe Orton <jorton@apache.org>
+Date: Wed, 20 Mar 2019 15:45:16 +0000
+Subject: [PATCH] Merge r1855849 from trunk:
+
+* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly
+ restore SSL verify state after PHA failure in TLSv1.3.
+
+Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
+Reviewed by: jorton, covener, jim
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855917 13f79535-47bb-0310-9956-ffa450edef68
+---
+ CHANGES | 3 +++
+ modules/ssl/ssl_engine_kernel.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+#diff --git a/CHANGES b/CHANGES
+#index 6b03eadfa07..6f20d688ece 100644
+#--- a/CHANGES
+#+++ b/CHANGES
+#@@ -1,6 +1,9 @@
+# -*- coding: utf-8 -*-
+# Changes with Apache 2.4.39
+#
+#+ *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
+#+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+#+
+# *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
+# PR 55348
+#
+Index: apache2-2.4.38/modules/ssl/ssl_engine_kernel.c
+===================================================================
+--- apache2-2.4.38.orig/modules/ssl/ssl_engine_kernel.c 2019-04-03 14:31:14.279214679 -0400
++++ apache2-2.4.38/modules/ssl/ssl_engine_kernel.c 2019-04-03 14:31:14.279214679 -0400
+@@ -1154,6 +1154,7 @@ static int ssl_hook_Access_modern(reques
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+ apr_table_setn(r->notes, "error-notes",
+ "Reason: Cannot perform Post-Handshake Authentication.<br />");
++ SSL_set_verify(ssl, vmode_inplace, NULL);
+ return HTTP_FORBIDDEN;
+ }
+
+@@ -1175,6 +1176,7 @@ static int ssl_hook_Access_modern(reques
+ * Finally check for acceptable renegotiation results
+ */
+ if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
++ SSL_set_verify(ssl, vmode_inplace, NULL);
+ return rc;
+ }
+ }
diff -Nru apache2-2.4.38/debian/patches/CVE-2019-0217.patch apache2-2.4.38/debian/patches/CVE-2019-0217.patch
--- apache2-2.4.38/debian/patches/CVE-2019-0217.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.38/debian/patches/CVE-2019-0217.patch 2019-04-07 19:37:55.000000000 +0200
@@ -0,0 +1,147 @@
+From 44b3ddc560c490c60600998fa2bf59b142d08e05 Mon Sep 17 00:00:00 2001
+From: Joe Orton <jorton@apache.org>
+Date: Tue, 12 Mar 2019 09:24:26 +0000
+Subject: [PATCH] Merge r1853190 from trunk:
+
+Fix a race condition. Authentication with valid credentials could be
+refused in case of concurrent accesses from different users.
+
+PR: 63124
+Submitted by: Simon Kappel <simon.kappel axis.com>
+Reviewed by: jailletc36, icing, jorton
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855298 13f79535-47bb-0310-9956-ffa450edef68
+---
+ CHANGES | 4 ++++
+ modules/aaa/mod_auth_digest.c | 26 ++++++++++++--------------
+ 2 files changed, 16 insertions(+), 14 deletions(-)
+
+#diff --git a/CHANGES b/CHANGES
+#index 08fc740db30..e79251389d5 100644
+#--- a/CHANGES
+#+++ b/CHANGES
+#@@ -1,6 +1,10 @@
+# -*- coding: utf-8 -*-
+# Changes with Apache 2.4.39
+#
+#+ *) mod_auth_digest: Fix a race condition. Authentication with valid
+#+ credentials could be refused in case of concurrent accesses from
+#+ different users. PR 63124. [Simon Kappel <simon.kappel axis.com>]
+#+
+# *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
+# PR 62932 <pavel dcmsys.com>
+#
+diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
+index a67f06986f2..b76094114dd 100644
+--- a/modules/aaa/mod_auth_digest.c
++++ b/modules/aaa/mod_auth_digest.c
+@@ -92,7 +92,6 @@ typedef struct digest_config_struct {
+ int check_nc;
+ const char *algorithm;
+ char *uri_list;
+- const char *ha1;
+ } digest_config_rec;
+
+
+@@ -153,6 +152,7 @@ typedef struct digest_header_struct {
+ apr_time_t nonce_time;
+ enum hdr_sts auth_hdr_sts;
+ int needed_auth;
++ const char *ha1;
+ client_entry *client;
+ } digest_header_rec;
+
+@@ -1304,7 +1304,7 @@ static int hook_note_digest_auth_failure(request_rec *r, const char *auth_type)
+ */
+
+ static authn_status get_hash(request_rec *r, const char *user,
+- digest_config_rec *conf)
++ digest_config_rec *conf, const char **rethash)
+ {
+ authn_status auth_result;
+ char *password;
+@@ -1356,7 +1356,7 @@ static authn_status get_hash(request_rec *r, const char *user,
+ } while (current_provider);
+
+ if (auth_result == AUTH_USER_FOUND) {
+- conf->ha1 = password;
++ *rethash = password;
+ }
+
+ return auth_result;
+@@ -1483,25 +1483,24 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
+
+ /* RFC-2069 */
+ static const char *old_digest(const request_rec *r,
+- const digest_header_rec *resp, const char *ha1)
++ const digest_header_rec *resp)
+ {
+ const char *ha2;
+
+ ha2 = ap_md5(r->pool, (unsigned char *)apr_pstrcat(r->pool, resp->method, ":",
+ resp->uri, NULL));
+ return ap_md5(r->pool,
+- (unsigned char *)apr_pstrcat(r->pool, ha1, ":", resp->nonce,
+- ":", ha2, NULL));
++ (unsigned char *)apr_pstrcat(r->pool, resp->ha1, ":",
++ resp->nonce, ":", ha2, NULL));
+ }
+
+ /* RFC-2617 */
+ static const char *new_digest(const request_rec *r,
+- digest_header_rec *resp,
+- const digest_config_rec *conf)
++ digest_header_rec *resp)
+ {
+ const char *ha1, *ha2, *a2;
+
+- ha1 = conf->ha1;
++ ha1 = resp->ha1;
+
+ a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL);
+ ha2 = ap_md5(r->pool, (const unsigned char *)a2);
+@@ -1514,7 +1513,6 @@ static const char *new_digest(const request_rec *r,
+ NULL));
+ }
+
+-
+ static void copy_uri_components(apr_uri_t *dst,
+ apr_uri_t *src, request_rec *r) {
+ if (src->scheme && src->scheme[0] != '\0') {
+@@ -1759,7 +1757,7 @@ static int authenticate_digest_user(request_rec *r)
+ return HTTP_UNAUTHORIZED;
+ }
+
+- return_code = get_hash(r, r->user, conf);
++ return_code = get_hash(r, r->user, conf, &resp->ha1);
+
+ if (return_code == AUTH_USER_NOT_FOUND) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01790)
+@@ -1789,7 +1787,7 @@ static int authenticate_digest_user(request_rec *r)
+
+ if (resp->message_qop == NULL) {
+ /* old (rfc-2069) style digest */
+- if (strcmp(resp->digest, old_digest(r, resp, conf->ha1))) {
++ if (strcmp(resp->digest, old_digest(r, resp))) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01792)
+ "user %s: password mismatch: %s", r->user,
+ r->uri);
+@@ -1819,7 +1817,7 @@ static int authenticate_digest_user(request_rec *r)
+ return HTTP_UNAUTHORIZED;
+ }
+
+- exp_digest = new_digest(r, resp, conf);
++ exp_digest = new_digest(r, resp);
+ if (!exp_digest) {
+ /* we failed to allocate a client struct */
+ return HTTP_INTERNAL_SERVER_ERROR;
+@@ -1903,7 +1901,7 @@ static int add_auth_info(request_rec *r)
+
+ /* calculate rspauth attribute
+ */
+- ha1 = conf->ha1;
++ ha1 = resp->ha1;
+
+ a2 = apr_pstrcat(r->pool, ":", resp->uri, NULL);
+ ha2 = ap_md5(r->pool, (const unsigned char *)a2);
diff -Nru apache2-2.4.38/debian/patches/CVE-2019-0220-1.patch apache2-2.4.38/debian/patches/CVE-2019-0220-1.patch
--- apache2-2.4.38/debian/patches/CVE-2019-0220-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.38/debian/patches/CVE-2019-0220-1.patch 2019-04-07 19:37:55.000000000 +0200
@@ -0,0 +1,278 @@
+From 9bc1917a27a2323e535aadb081e38172ae0e3fc2 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Mon, 18 Mar 2019 08:49:59 +0000
+Subject: [PATCH] Merge of r1855705 from trunk:
+
+core: merge consecutive slashes in the path
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855737 13f79535-47bb-0310-9956-ffa450edef68
+---
+ CHANGES | 4 ++++
+ docs/manual/mod/core.xml | 26 ++++++++++++++++++++++++++
+ include/ap_mmn.h | 4 +++-
+ include/http_core.h | 2 +-
+ include/httpd.h | 14 ++++++++++++--
+ server/core.c | 13 +++++++++++++
+ server/request.c | 25 +++++++++----------------
+ server/util.c | 10 +++++++---
+ 8 files changed, 75 insertions(+), 23 deletions(-)
+
+#diff --git a/CHANGES b/CHANGES
+#index e3e8a98db24..9dd7045c232 100644
+#--- a/CHANGES
+#+++ b/CHANGES
+#@@ -1,6 +1,10 @@
+# -*- coding: utf-8 -*-
+# Changes with Apache 2.4.39
+#
+#+ *) core: new configuration option 'MergeSlashes on|off' that controls handling of
+#+ multiple, consecutive slash ('/') characters in the path component of the request URL.
+#+ [Eric Covener]
+#+
+# *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
+# in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
+# Fixed. [Michael Kaufmann]
+#diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml
+#index fc664116727..460b4367621 100644
+#--- a/docs/manual/mod/core.xml
+#+++ b/docs/manual/mod/core.xml
+#@@ -5138,4 +5138,30 @@ recognized methods to modules.</p>
+# <seealso><directive module="mod_allowmethods">AllowMethods</directive></seealso>
+# </directivesynopsis>
+#
+#+<directivesynopsis>
+#+<name>MergeSlashes</name>
+#+<description>Controls whether the server merges consecutive slashes in URLs.
+#+</description>
+#+<syntax>MergeSlashes ON|OFF</syntax>
+#+<default>MergeSlashes ON</default>
+#+<contextlist><context>server config</context><context>virtual host</context>
+#+</contextlist>
+#+<compatibility>Added in 2.5.1</compatibility>
+#+
+#+<usage>
+#+ <p>By default, the server merges (or collapses) multiple consecutive slash
+#+ ('/') characters in the path component of the request URL.</p>
+#+
+#+ <p>When mapping URL's to the filesystem, these multiple slashes are not
+#+ significant. However, URL's handled other ways, such as by CGI or proxy,
+#+ might prefer to retain the significance of multiple consecutive slashes.
+#+ In these cases <directive>MergeSlashes</directive> can be set to
+#+ <em>OFF</em> to retain the multiple consecutive slashes. In these
+#+ configurations, regular expressions used in the configuration file that match
+#+ the path component of the URL (<directive>LocationMatch</directive>,
+#+ <directive>RewriteRule</directive>, ...) need to take into account multiple
+#+ consecutive slashes.</p>
+#+</usage>
+#+</directivesynopsis>
+#+
+# </modulesynopsis>
+diff --git a/include/ap_mmn.h b/include/ap_mmn.h
+index 2167baa0325..4739f7f64d3 100644
+--- a/include/ap_mmn.h
++++ b/include/ap_mmn.h
+@@ -523,6 +523,8 @@
+ * 20120211.82 (2.4.35-dev) Add optional function declaration for
+ * ap_proxy_balancer_get_best_worker to mod_proxy.h.
+ * 20120211.83 (2.4.35-dev) Add client64 field to worker_score struct
++ * 20120211.84 (2.4.35-dev) Add ap_no2slash_ex() and merge_slashes to
++ * core_server_conf.
+ *
+ */
+
+@@ -531,7 +533,7 @@
+ #ifndef MODULE_MAGIC_NUMBER_MAJOR
+ #define MODULE_MAGIC_NUMBER_MAJOR 20120211
+ #endif
+-#define MODULE_MAGIC_NUMBER_MINOR 83 /* 0...n */
++#define MODULE_MAGIC_NUMBER_MINOR 84 /* 0...n */
+
+ /**
+ * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
+diff --git a/include/http_core.h b/include/http_core.h
+index 35df5dc9601..8e109882244 100644
+--- a/include/http_core.h
++++ b/include/http_core.h
+@@ -740,7 +740,7 @@ typedef struct {
+ #define AP_HTTP_METHODS_LENIENT 1
+ #define AP_HTTP_METHODS_REGISTERED 2
+ char http_methods;
+-
++ unsigned int merge_slashes;
+ } core_server_config;
+
+ /* for AddOutputFiltersByType in core.c */
+diff --git a/include/httpd.h b/include/httpd.h
+index 65392f83546..99f7f041aea 100644
+--- a/include/httpd.h
++++ b/include/httpd.h
+@@ -1697,11 +1697,21 @@ AP_DECLARE(int) ap_unescape_url_keep2f(char *url, int decode_slashes);
+ AP_DECLARE(int) ap_unescape_urlencoded(char *query);
+
+ /**
+- * Convert all double slashes to single slashes
+- * @param name The string to convert
++ * Convert all double slashes to single slashes, except where significant
++ * to the filesystem on the current platform.
++ * @param name The string to convert, assumed to be a filesystem path
+ */
+ AP_DECLARE(void) ap_no2slash(char *name);
+
++/**
++ * Convert all double slashes to single slashes, except where significant
++ * to the filesystem on the current platform.
++ * @param name The string to convert
++ * @param is_fs_path if set to 0, the significance of any double-slashes is
++ * ignored.
++ */
++AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path);
++
+ /**
+ * Remove all ./ and xx/../ substrings from a file name. Also remove
+ * any leading ../ or /../ substrings.
+diff --git a/server/core.c b/server/core.c
+index e2a91c7a0c6..eacb54fecec 100644
+--- a/server/core.c
++++ b/server/core.c
+@@ -490,6 +490,7 @@ static void *create_core_server_config(apr_pool_t *a, server_rec *s)
+
+ conf->protocols = apr_array_make(a, 5, sizeof(const char *));
+ conf->protocols_honor_order = -1;
++ conf->merge_slashes = AP_CORE_CONFIG_UNSET;
+
+ return (void *)conf;
+ }
+@@ -555,6 +556,7 @@ static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
+ conf->protocols_honor_order = ((virt->protocols_honor_order < 0)?
+ base->protocols_honor_order :
+ virt->protocols_honor_order);
++ AP_CORE_MERGE_FLAG(merge_slashes, conf, base, virt);
+
+ return conf;
+ }
+@@ -1863,6 +1865,13 @@ static const char *set_qualify_redirect_url(cmd_parms *cmd, void *d_, int flag)
+ return NULL;
+ }
+
++static const char *set_core_server_flag(cmd_parms *cmd, void *s_, int flag)
++{
++ core_server_config *conf =
++ ap_get_core_module_config(cmd->server->module_config);
++ return ap_set_flag_slot(cmd, conf, flag);
++}
++
+ static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[])
+ {
+ core_dir_config *d = d_;
+@@ -4562,6 +4571,10 @@ AP_INIT_ITERATE("HttpProtocolOptions", set_http_protocol_options, NULL, RSRC_CON
+ "'Unsafe' or 'Strict' (default). Sets HTTP acceptance rules"),
+ AP_INIT_ITERATE("RegisterHttpMethod", set_http_method, NULL, RSRC_CONF,
+ "Registers non-standard HTTP methods"),
++AP_INIT_FLAG("MergeSlashes", set_core_server_flag,
++ (void *)APR_OFFSETOF(core_server_config, merge_slashes),
++ RSRC_CONF,
++ "Controls whether consecutive slashes in the URI path are merged"),
+ { NULL }
+ };
+
+diff --git a/server/request.c b/server/request.c
+index dbe3e07f150..1ce8908824b 100644
+--- a/server/request.c
++++ b/server/request.c
+@@ -167,6 +167,8 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
+ int file_req = (r->main && r->filename);
+ int access_status;
+ core_dir_config *d;
++ core_server_config *sconf =
++ ap_get_core_module_config(r->server->module_config);
+
+ /* Ignore embedded %2F's in path for proxy requests */
+ if (!r->proxyreq && r->parsed_uri.path) {
+@@ -191,6 +193,10 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
+ }
+
+ ap_getparents(r->uri); /* OK --- shrinking transformations... */
++ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
++ ap_no2slash(r->uri);
++ ap_no2slash(r->parsed_uri.path);
++ }
+
+ /* All file subrequests are a huge pain... they cannot bubble through the
+ * next several steps. Only file subrequests are allowed an empty uri,
+@@ -1411,20 +1417,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+
+ cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
+ cached = (cache->cached != NULL);
+-
+- /* Location and LocationMatch differ on their behaviour w.r.t. multiple
+- * slashes. Location matches multiple slashes with a single slash,
+- * LocationMatch doesn't. An exception, for backwards brokenness is
+- * absoluteURIs... in which case neither match multiple slashes.
+- */
+- if (r->uri[0] != '/') {
+- entry_uri = r->uri;
+- }
+- else {
+- char *uri = apr_pstrdup(r->pool, r->uri);
+- ap_no2slash(uri);
+- entry_uri = uri;
+- }
++ entry_uri = r->uri;
+
+ /* If we have an cache->cached location that matches r->uri,
+ * and the vhost's list of locations hasn't changed, we can skip
+@@ -1491,7 +1484,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+ pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
+ }
+
+- if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) {
++ if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) {
+ continue;
+ }
+
+@@ -1501,7 +1494,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+ apr_table_setn(r->subprocess_env,
+ ((const char **)entry_core->refs->elts)[i],
+ apr_pstrndup(r->pool,
+- r->uri + pmatch[i].rm_so,
++ entry_uri + pmatch[i].rm_so,
+ pmatch[i].rm_eo - pmatch[i].rm_so));
+ }
+ }
+diff --git a/server/util.c b/server/util.c
+index fd7a0a14763..607c4850d86 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -561,16 +561,16 @@ AP_DECLARE(void) ap_getparents(char *name)
+ name[l] = '\0';
+ }
+ }
+-
+-AP_DECLARE(void) ap_no2slash(char *name)
++AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path)
+ {
++
+ char *d, *s;
+
+ s = d = name;
+
+ #ifdef HAVE_UNC_PATHS
+ /* Check for UNC names. Leave leading two slashes. */
+- if (s[0] == '/' && s[1] == '/')
++ if (is_fs_path && s[0] == '/' && s[1] == '/')
+ *d++ = *s++;
+ #endif
+
+@@ -587,6 +587,10 @@ AP_DECLARE(void) ap_no2slash(char *name)
+ *d = '\0';
+ }
+
++AP_DECLARE(void) ap_no2slash(char *name)
++{
++ ap_no2slash_ex(name, 1);
++}
+
+ /*
+ * copy at most n leading directories of s into d
diff -Nru apache2-2.4.38/debian/patches/CVE-2019-0220-2.patch apache2-2.4.38/debian/patches/CVE-2019-0220-2.patch
--- apache2-2.4.38/debian/patches/CVE-2019-0220-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.38/debian/patches/CVE-2019-0220-2.patch 2019-04-07 19:37:55.000000000 +0200
@@ -0,0 +1,50 @@
+From c4ef468b25718a26f2b92cbea3ca093729b79331 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 18 Mar 2019 12:10:15 +0000
+Subject: [PATCH] merge 1855743,1855744 ^/httpd/httpd/trunk .
+
+r->parsed_uri.path safety in recent backport
+
+*) core: fix SEGFAULT in CONNECT with recent change
+ 2.4.x: svn merge -c 1855743,1855744 ^/httpd/httpd/trunk .
+ +1: rpluem, icing, covener
+
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855751 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/request.c | 4 +++-
+ server/util.c | 4 ++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/server/request.c b/server/request.c
+index 1ce8908824b..d5c558afa30 100644
+--- a/server/request.c
++++ b/server/request.c
+@@ -195,7 +195,9 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
+ ap_getparents(r->uri); /* OK --- shrinking transformations... */
+ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
+ ap_no2slash(r->uri);
+- ap_no2slash(r->parsed_uri.path);
++ if (r->parsed_uri.path) {
++ ap_no2slash(r->parsed_uri.path);
++ }
+ }
+
+ /* All file subrequests are a huge pain... they cannot bubble through the
+diff --git a/server/util.c b/server/util.c
+index 607c4850d86..f3b17f1581e 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -566,6 +566,10 @@ AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path)
+
+ char *d, *s;
+
++ if (!name || !*name) {
++ return;
++ }
++
+ s = d = name;
+
+ #ifdef HAVE_UNC_PATHS
diff -Nru apache2-2.4.38/debian/patches/CVE-2019-0220-3.patch apache2-2.4.38/debian/patches/CVE-2019-0220-3.patch
--- apache2-2.4.38/debian/patches/CVE-2019-0220-3.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.38/debian/patches/CVE-2019-0220-3.patch 2019-04-07 19:37:55.000000000 +0200
@@ -0,0 +1,43 @@
+From 3451fc2bf8708b0dc8cd6a7d0ac0fe5b6401befc Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Tue, 19 Mar 2019 18:01:21 +0000
+Subject: [PATCH] *) maintainer mode fix for util.c no2slash_ex trunk
+ patch: http://svn.apache.org/r1855755 2.4.x patch svn merge -c 1855755
+ ^/httpd/httpd/trunk . +1: covener, rpluem, jim, ylavic
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855853 13f79535-47bb-0310-9956-ffa450edef68
+---
+ STATUS | 6 ------
+ server/util.c | 2 +-
+ 2 files changed, 1 insertion(+), 7 deletions(-)
+
+#diff --git a/STATUS b/STATUS
+#index ffe5d22550c..1f8cb2f7884 100644
+#--- a/STATUS
+#+++ b/STATUS
+#@@ -126,12 +126,6 @@ RELEASE SHOWSTOPPERS:
+# PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
+# [ start all new proposals below, under PATCHES PROPOSED. ]
+#
+#- *) maintainer mode fix for util.c no2slash_ex
+#- trunk patch: http://svn.apache.org/r1855755
+#- 2.4.x patch svn merge -c 1855755 ^/httpd/httpd/trunk .
+#- +1: covener, rpluem, jim, ylavic
+#-
+#-
+# PATCHES PROPOSED TO BACKPORT FROM TRUNK:
+# [ New proposals should be added at the end of the list ]
+#
+diff --git a/server/util.c b/server/util.c
+index f3b17f1581e..e0c558cee2d 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -566,7 +566,7 @@ AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path)
+
+ char *d, *s;
+
+- if (!name || !*name) {
++ if (!*name) {
+ return;
+ }
+
diff -Nru apache2-2.4.38/debian/patches/series apache2-2.4.38/debian/patches/series
--- apache2-2.4.38/debian/patches/series 2019-01-22 21:40:23.000000000 +0100
+++ apache2-2.4.38/debian/patches/series 2019-04-07 19:45:58.000000000 +0200
@@ -8,3 +8,12 @@
# This patch is applied manually
#suexec-custom.patch
spelling-errors.patch
+
+CVE-2019-0196.patch
+CVE-2019-0211.patch
+CVE-2019-0215.patch
+CVE-2019-0217.patch
+CVE-2019-0220-1.patch
+CVE-2019-0220-2.patch
+CVE-2019-0220-3.patch
+CVE-2019-0197.patch
--- End Message ---