#11883: httpd-2.4.39
-------------------------+------------------------
Reporter: bdubbs | Owner: blfs-book
Type: enhancement | Status: closed
Priority: high | Milestone: 8.5
Component: BOOK | Version: SVN
Severity: normal | Resolution: fixed
Keywords: |
-------------------------+------------------------
Changes (by renodr):
* priority: normal => high
Comment:
It's security vulnerability time!
'''CVE-2019-0196'''
{{{
CVE-2019-0196: mod_http2, read-after-free on a string compare
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.17 to 2.4.38
Description:
Using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly.
Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.39 or later.
Credit:
The issue was discovered by Craig Young, <vuln-rep...@secur3.us>.
References:
https://httpd.apache.org/security/vulnerabilities_24.html
}}}
'''CVE-2019-0197'''
{{{
CVE-2019-0197: mod_http2, possible crash on late upgrade
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.34 to 2.4.38
Description:
When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2
on a https: host, an Upgrade request from http/1.1 to http/2 that was
not the first request on a connection could lead to a misconfiguration
and crash. Servers that never enabled the h2 protocol or only enabled it
for https: and did not set"H2Upgrade on" are unaffected by this issue.
Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.39 or later.
Credit:
The issue was discovered by Stefan Eissing, greenbytes.de.
References:
https://httpd.apache.org/security/vulnerabilities_24.html
}}}
'''CVE-2019-0211'''
{{{
CVE-2019-0211: Apache HTTP Server privilege escalation from modules'
scripts
Severity: important
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.17 to 2.4.38
Description:
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event,
worker or prefork, code executing in less-privileged child processes
or threads (including scripts executed by an in-process scripting
interpreter) could execute arbitrary code with the privileges of the
parent process (usually root) by manipulating the scoreboard. Non-Unix
systems are not affected.
Mitigation:
All httpd users running MPM event, worker or prefork should upgrade to
2.4.39 or later.
Credit:
The issue was discovered by Charles Fol.
References:
https://httpd.apache.org/security/vulnerabilities_24.html
}}}
'''CVE-2019-0217'''
{{{
CVE-2019-0217: mod_auth_digest access control bypass
Severity: important
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.0 to 2.4.38
Description:
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition
in mod_auth_digest when running in a threaded server could allow a
user with valid credentials to authenticate using another username,
bypassing configured access control restrictions.
Mitigation:
All httpd users deploying mod_auth_digest should upgrade to 2.4.39 or
later.
Credit:
The issue was discovered by Simon Kappel.
References:
https://httpd.apache.org/security/vulnerabilities_24.html
}}}
'''CVE-2019-0215'''
{{{
CVE-2019-0215: mod_ssl access control bypass
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.27 to 2.4.38
Description:
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a
bug in mod_ssl when using per-location client certificate
verification with TLSv1.3 allowed a client to bypass
configured access control restrictions.
Mitigation:
This issue can be mitigated by disabling the TLSv1.3 protocol for a
VirtualHost which requires per-location or per-directory client
certificate authentication.
Credit:
The issue was discovered by Michael Kaufmann.
References:
https://httpd.apache.org/security/vulnerabilities_24.html
}}}
'''CVE-2019-0220'''
{{{
CVE-2019-0220: URL normalization inconsistincies
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.0 to 2.4.39
Description:
When the path component of a request URL contains multiple consecutive
slashes
('/'), directives such as LocationMatch and RewriteRule must account for
duplicates in regular expressions while other aspects of the servers
processing
will implicitly collapse them.
Mitigation:
Regular expressions used in directives that match against the path
component
of the request URL can be modified to account for multiple consecutive
slashes.
Credit:
The issue was discovered by Bernhard Lorenz
<bernhard.lor...@alphastrike.io>
of Alpha Strike Labs GmbH".
References:
https://httpd.apache.org/security/vulnerabilities_24.html
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/11883#comment:3>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
