Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13884 closed enhancement (fixed)

httpd-2.4.46

Reported by: Bruce Dubbs Owned by: Pierre Labastie
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by Pierre Labastie, 4 years ago

Owner: changed from blfs-book to Pierre Labastie
Status: newassigned

comment:2 by Pierre Labastie, 4 years ago

Hmm, maybe hold on this one: the 2.4.46 tarball might not be definitive: there is still a CURRENT-IS-2.4.43 file in the release directory. The Changes are very small (and do not concern linux): 

Changes with Apache 2.4.46
  *) mod_proxy_fcgi: Fix build warnings for Windows platform
     [Eric Covener, Christophe Jaillet]

comment:3 by Pierre Labastie, 4 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r23471

comment:4 by Douglas R. Reno, 4 years ago

Priority: normalhigh

Here come the security fixes!

CVE-2020-9490 

CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header

Severity: important

Vendor: Apache Software Foundation

Versions Affected:
Apache HTTP Server 2.4.20 to 2.4.43

Description:
Apache HTTP Server versions 2.4.20 to 2.4.43
A specially crafted value for the 'Cache-Digest' header in a HTTP/2
request would result in a crash when the server actually tries to HTTP/2
PUSH a resource afterwards.

Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

Mitigation:

Credit:
Felix Wilhelm of Google Project Zero

References:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490

CVE-2020-11984 

CVE-2020-11984: mod_uwsgi buffer overlow

Severity: moderate

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.32 to 2.4.44

Description:
Apache HTTP Server 2.4.32 to 2.4.44
mod_proxy_uwsgi info disclosure and possible RCE
    
Mitigation:
disable mod_uwsgi

Credit:
Discovered by Felix Wilhelm of Google Project Zero

References:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2020-11985 

CVE-2020-11985: CWE-345: Insufficient verification of data authenticity

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.1 to 2.4.23

Description:
Apache HTTP Server 2.4.1 to 2.4.23
IP address spoofing when proxying using mod_remoteip and mod_rewrite
    
Mitigation:
Disable mod_remoteip

Credit:
Initially reported at https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299

References:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2020-11993 

CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header

Severity: moderate

Vendor: Apache Software Foundation

Versions Affected:
Apache HTTP Server 2.4.20 to 2.4.43

Description:
Apache HTTP Server versions 2.4.20 to 2.4.43
When trace/debug was enabled for the HTTP/2 module and on
certain traffic edge patterns, logging statements were made on
the wrong connection, causing concurrent use of memory pools.

Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

Mitigation:

Credit:
Felix Wilhelm of Google Project Zero

References:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993
Note: See TracTickets for help on using tickets.