Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#11883 closed enhancement (fixed)

httpd-2.4.39

Reported by: Bruce Dubbs Owned by: blfs-book
Priority: high Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New oint version.

Change History (4)

comment:2 by Bruce Dubbs, 5 years ago

Resolution: fixed
Status: newclosed

Fixed at revision 21419.

comment:3 by Douglas R. Reno, 5 years ago

Priority: normalhigh

It's security vulnerability time!

CVE-2019-0196 

CVE-2019-0196: mod_http2, read-after-free on a string compare

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.38

Description:
Using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly.
    
Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.39 or later.

Credit:
The issue was discovered by Craig Young, <vuln-report@secur3.us>.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2019-0197 

CVE-2019-0197: mod_http2, possible crash on late upgrade

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.34 to 2.4.38

Description:
When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2
on a https: host, an Upgrade request from http/1.1 to http/2 that was
not the first request on a connection could lead to a misconfiguration
and crash. Servers that never enabled the h2 protocol or only enabled it
for https: and did not set"H2Upgrade on" are unaffected by this issue.

Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.39 or later.

Credit:
The issue was discovered by Stefan Eissing, greenbytes.de.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2019-0211 

CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.38

Description:
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event,
worker or prefork, code executing in less-privileged child processes
or threads (including scripts executed by an in-process scripting
interpreter) could execute arbitrary code with the privileges of the
parent process (usually root) by manipulating the scoreboard. Non-Unix
systems are not affected.

Mitigation:
All httpd users running MPM event, worker or prefork should upgrade to
2.4.39 or later.

Credit:
The issue was discovered by Charles Fol.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2019-0217 

CVE-2019-0217: mod_auth_digest access control bypass

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.38

Description:
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition
in mod_auth_digest when running in a threaded server could allow a
user with valid credentials to authenticate using another username,
bypassing configured access control restrictions.

Mitigation:
All httpd users deploying mod_auth_digest should upgrade to 2.4.39 or later.

Credit:
The issue was discovered by Simon Kappel.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2019-0215 

CVE-2019-0215: mod_ssl access control bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.27 to 2.4.38

Description:
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a
bug in mod_ssl when using per-location client certificate
verification with TLSv1.3 allowed a client to bypass
configured access control restrictions.
               
Mitigation:
This issue can be mitigated by disabling the TLSv1.3 protocol for a
VirtualHost which requires per-location or per-directory client
certificate authentication.

Credit:
The issue was discovered by Michael Kaufmann.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2019-0220 

CVE-2019-0220: URL normalization inconsistincies

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.39

Description:
When the path component of a request URL contains multiple consecutive slashes
('/'), directives such as LocationMatch and RewriteRule must account for
duplicates in regular expressions while other aspects of the servers processing
will implicitly collapse them.
    
Mitigation:
Regular expressions used in directives that match against the path component
of the request URL can be modified to account for multiple consecutive slashes.

Credit:
The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> 
of Alpha Strike Labs GmbH".

References:
https://httpd.apache.org/security/vulnerabilities_24.html

comment:4 by Bruce Dubbs, 5 years ago

Milestone: 8.59.0

Milestone renamed

Note: See TracTickets for help on using tickets.