tjh.dev
apache-httpd: 2.4.38 -> 2.4.39 (CVE-2019-0211)
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or
prefork, code executing in less-privileged child processes or
threads (including scripts executed by an in-process scripting interpreter)
could execute arbitrary code with the privileges of the parent process (usually
root) by manipulating the scoreboard.
(cherry picked from commit 2017158b53fefb67d5a02f6d02b72515d107256f)
+2
-2
pkgs/servers/http/apache-httpd/2.4.nix
+2
-2
pkgs/servers/http/apache-httpd/2.4.nix
···
16
16
assert http2Support -> nghttp2 != null;
17
17
18
18
stdenv.mkDerivation rec {
19
-
version = "2.4.38";
19
+
version = "2.4.39";
20
20
name = "apache-httpd-${version}";
21
21
22
22
src = fetchurl {
23
23
url = "mirror://apache/httpd/httpd-${version}.tar.bz2";
24
-
sha256 = "0jiriyyf3pm6axf4mrz6c2z08yhs21hb4d23viq87jclm5bmiikx";
24
+
sha256 = "18ngvsjq65qxk3biggnkhkq8jlll9dsg9n3csra9p99sfw2rvjml";
25
25
};
26
26
27
27
# FIXME: -dev depends on -doc