News for package apache2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 3.0 (quilt)
Source: apache2
Binary: apache2, apache2-data, apache2-bin, apache2-utils, apache2-suexec-pristine, apache2-suexec-custom, apache2-doc, apache2-dev, apache2-ssl-dev, apache2-dbg
Architecture: any all
Version: 2.4.25-3+deb9u4
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Uploaders: Stefan Fritsch <sf@debian.org>, Arno Töll <arno@debian.org>
Homepage: http://httpd.apache.org/
Standards-Version: 3.9.8
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-apache/apache2.git/
Vcs-Git: git://anonscm.debian.org/pkg-apache/apache2.git
Testsuite: autopkgtest
Testsuite-Triggers: build-essential, curl, dpkg-dev, expect, libanyevent-perl, libcrypt-ssleay-perl, libdatetime-perl, libhttp-dav-perl, libnet-ssleay-perl, libwww-perl, ssl-cert, wget
Build-Depends: debhelper (>= 9.20131213~), lsb-release, dpkg-dev (>= 1.16.1~), libaprutil1-dev (>= 1.5.0), libapr1-dev (>= 1.5.0), libpcre3-dev, zlib1g-dev, libnghttp2-dev, libssl1.0-dev | libssl-dev (<< 1.1), perl, liblua5.2-dev, libxml2-dev, autotools-dev, gawk | awk, dh-systemd
Build-Conflicts: autoconf2.13
Package-List:
 apache2 deb httpd optional arch=any
 apache2-bin deb httpd optional arch=any
 apache2-data deb httpd optional arch=all
 apache2-dbg deb debug extra arch=any
 apache2-dev deb httpd optional arch=any
 apache2-doc deb doc optional arch=all
 apache2-ssl-dev deb httpd optional arch=any
 apache2-suexec-custom deb httpd extra arch=any
 apache2-suexec-pristine deb httpd optional arch=any
 apache2-utils deb httpd optional arch=any
Checksums-Sha1:
 bd6d138c31c109297da2346c6e7b93b9283993d2 6398218 apache2_2.4.25.orig.tar.bz2
 be4c0e46cd7102a9bf32e7a63b15d0ff5e61153d 705784 apache2_2.4.25-3+deb9u4.debian.tar.xz
Checksums-Sha256:
 f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2 6398218 apache2_2.4.25.orig.tar.bz2
 9e856d571d5d54212cd26bf7213f41e52063dedb8831549887ec76ba4f439073 705784 apache2_2.4.25-3+deb9u4.debian.tar.xz
Files:
 2826f49619112ad5813c0be5afcc7ddb 6398218 apache2_2.4.25.orig.tar.bz2
 fa999fcf17524ee424893d9a876f99fc 705784 apache2_2.4.25-3+deb9u4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlq/URYACgkQxodfNUHO
/eBOjg//Y49SbBKM9NIBXImplr+IP5Evj5rs0/DN7yVXFETvzeI7qPWXruDLIyNy
ugIMgmnvDbpaXf/7HVMhaCb1EaGY/stEwhPCW2ehwVUfm9xvGL+fUvIN0SaQ22ed
0qVfdn60NyEMsPqmON/Ye2F+8oP802u936YZv6ezgHzTkQ+f16QC+fRAdrQtlHyB
GCjEzkSM5W7i4ZNoBAK/ZsL+8aYGvo/A/NyxkHb94A9cYtOJ52rRvUP2RmZ+jom/
yAGggYyJtDbMmd+I5JL3qdldFV98shmsTolkWN1EQHa52tBCkgpds9eHC6tTw1jT
4bt5Q+gkminjB+O3xd/y9p8iVC3U7cr2WtwwwWqaf515YOjowmL8shpnIWJon9z+
2y4oqrdF65hA/de1A1BAgwP7F8QC2iJUIjB6z4uuIAbZG9VsydOWyosGgoy+bHfq
OXF9d6xuS95y3TWnT+oEg7lCMvGd+5Cgb5nfPqNV4qvoiA6Z2Dn1Il+ueJleORn1
WF7co2mi2ILQxNJ7VN/w8G5pRYewa+ACpxBY9fpFojjvySzsPZT0n1kRpS93+ZP2
LdXRlEwc0D4xtwBP6tSXLCJ3GhdbEnITYzZ4Ttnr3Cx97kOLktv+4rVbv9nYX+Zi
9B3O5C1jgJVc1uPQT3COxp3id7BQMJNfuqZ/rGRDej/yR3QBVhw=
=7fsP
-----END PGP SIGNATURE-----

<span id="changes">Changes:</span>
apache2 (2.4.25-3+deb9u4) stretch-security; urgency=medium

  * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
    when using too small Accept-Language values.
  * CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file
    name.
    Configure the regular expression engine to match '$' to the end of
    the input string only, excluding matching the end of any embedded
    newline characters. Behavior can be changed with new directive
    'RegexDefaultOptions'.
  * CVE-2018-1283: Tampering of mod_session data for CGI applications.
  * CVE-2018-1301: Possible out of bound access after failure in reading the
    HTTP request
  * CVE-2018-1303: Possible out of bound read in mod_cache_socache
  * CVE-2018-1312: mod_auth_digest: Weak Digest auth nonce generation

 -- Stefan Fritsch <sf@debian.org>  Sat, 31 Mar 2018 10:47:16 +0200