This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.10 --------------- apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service. - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve http/2 module keepalive throttling. - CVE-2019-9517 * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash denial of service (LP: #1840188) - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch: re-use slave connections and fix slave connection keepalives counter. - CVE-2019-0197 * SECURITY UPDATE: mod_http2 memory corruption on early pushes - included in mod_http2 1.15.4 backport - CVE-2019-10081 * SECURITY UPDATE: read-after-free in mod_http2 h2 connection shutdown. - included in mod_http2 1.15.4 backport - CVE-2019-10082 * SECURITY UPDATE: Limited cross-site scripting in mod_proxy error page. - d/p/CVE-2019-10092-1.patch: Remove request details from built-in error documents. - d/p/CVE-2019-10092-2.patch: Add missing log numbers. - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS protection. - CVE-2019-10092-1 * SECURITY UPDATE: mod_rewrite potential open redirect. - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default. - CVE-2019-10098 * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517, CVE-2019-10081, and CVE-2019-10082 fixes: - add d/p/mod_http2-1.14.1-backport-*.patches and d/p/mod_http2-1.15.4-backport-*.patches - dropped the following patches included above: + d/p/CVE-2018-1302.patch + d/p/CVE-2018-1333.patch + d/p/CVE-2018-11763.patch + d/p/CVE-2018-17189.patch + d/p/CVE-2019-0196.patch -- Steve Beattie <sbeat...@ubuntu.com> Mon, 26 Aug 2019 06:41:23 -0700 ** Changed in: apache2 (Ubuntu) Status: Triaged => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11763 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1302 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1333 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-17189 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-0196 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10081 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10082 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10092 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10098 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9517 ** Changed in: apache2 (Ubuntu) Status: Triaged => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10097 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840188 Title: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1840188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs