Change History (4)
comment:1 by , 5 years ago
comment:3 by , 5 years ago
Priority: | normal → high |
---|
It's security vulnerability time!
CVE-2019-0196
CVE-2019-0196: mod_http2, read-after-free on a string compare Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.17 to 2.4.38 Description: Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. Mitigation: All httpd users deploying mod_http2 should upgrade to 2.4.39 or later. Credit: The issue was discovered by Craig Young, <vuln-report@secur3.us>. References: https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-0197
CVE-2019-0197: mod_http2, possible crash on late upgrade Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.34 to 2.4.38 Description: When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Servers that never enabled the h2 protocol or only enabled it for https: and did not set"H2Upgrade on" are unaffected by this issue. Mitigation: All httpd users deploying mod_http2 should upgrade to 2.4.39 or later. Credit: The issue was discovered by Stefan Eissing, greenbytes.de. References: https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-0211
CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts Severity: important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.17 to 2.4.38 Description: In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. Mitigation: All httpd users running MPM event, worker or prefork should upgrade to 2.4.39 or later. Credit: The issue was discovered by Charles Fol. References: https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-0217
CVE-2019-0217: mod_auth_digest access control bypass Severity: important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.0 to 2.4.38 Description: In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. Mitigation: All httpd users deploying mod_auth_digest should upgrade to 2.4.39 or later. Credit: The issue was discovered by Simon Kappel. References: https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-0215
CVE-2019-0215: mod_ssl access control bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.27 to 2.4.38 Description: In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions. Mitigation: This issue can be mitigated by disabling the TLSv1.3 protocol for a VirtualHost which requires per-location or per-directory client certificate authentication. Credit: The issue was discovered by Michael Kaufmann. References: https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-0220
CVE-2019-0220: URL normalization inconsistincies Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.0 to 2.4.39 Description: When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. Mitigation: Regular expressions used in directives that match against the path component of the request URL can be modified to account for multiple consecutive slashes. Credit: The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH". References: https://httpd.apache.org/security/vulnerabilities_24.html
Note:
See TracTickets
for help on using tickets.
Changes are documented at https://www.apache.org/dist/httpd/CHANGES_2.4.39