httpd-2.4.38

[Douglas R. Reno]

New point version

[Bruce Dubbs]

Changes with Apache 2.4.38

• mod_ssl: Clear retry flag before aborting client-initiated renegotiation.

• mod_negotiation: Treat LanguagePriority as case-insensitive to match AddLanguage behavior and HTTP specification.

• mod_md: incorrect behaviour when synchronizing ongoing ACME challenges have been fixed.

• mod_setenvif: We can have expressions that become true if a regex pattern in the expression does NOT match. In this case val is NULL and we should just set the value for the environment variable like in the pattern case.

• mod_session: Always decode session attributes early.

• core: Incorrect values for environment variables are substituted when multiple environment variables are specified in a directive.

• mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when this type of map is present in the configuration.

• mod_dav: Fix invalid Location header when a resource is created by passing an absolute URI on the request line

• mod_session_cookie: avoid duplicate Set-Cookie header in the response.

• mod_ssl: clear *SSL errors before loading certificates and checking afterwards. Otherwise errors are reported when other SSL using modules are in play.

• mod_ssl: Fix the error code returned in an error path of 'ssl_io_filter_handshake()'. This messes-up error handling performed in 'ssl_io_filter_error()'

• mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix authz provider so "Require ssl" works correctly in HTTP/2.

• mod_proxy: If ProxyPassReverse is used for reverse mapping of relative redirects, subsequent ProxyPassReverse statements, whether they are relative or absolute, may fail.

• mod_lua: Now marked as a stable module ​https://s.apache.org/Xnh1

[Bruce Dubbs]

Fixed at revision 21015.

[Douglas R. Reno]

CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.37

Description:
A bug exists in the way mod_ssl handled client renegotiations.
A remote attacker could send a carefully crafted request that
would cause mod_ssl to enter a loop leading to a denial of
service.  This bug can be only triggered with Apache HTTP Server
version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
an interaction in changes to handling of renegotiation attempts.

Mitigation:
All httpd users consuming mod_ssl combined with OpenSSL 1.1.1 or later
should upgrade to 2.4.38 or later.

Credit:
The issue was identified through user bug reports.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2018-17199: mod_session_cookie does not respect expiry time

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.37

Description:
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session
checks the session expiry time before decoding the session.
This causes session expiry time to be ignored for
mod_session_cookie sessions since the expiry time is loaded
when the session is decoded.

Mitigation:
All httpd users deploying mod_session should upgrade to 2.4.38 or later.

Credit:
The issue was discovered by Diego Angulo from ImExHS.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.37

Description:
By sending request bodies in a slow loris way to plain 
resources, the h2 stream for that request unnecessarily
occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 (mod_http2) connections in 
Apache HTTP Server versions 2.4.37 and prior.

Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.38 or later.

Credit:
The issue was discovered by Gal Goldshtein of F5 Networks.

References:
https://httpd.apache.org/security/vulnerabilities_24.html