aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:15:28Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9908[3.7] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199)2019-07-23T11:15:28ZAlicha CH[3.7] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199)CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies
------------------------------------------------------------------
By sending request bodies in a slow loris way to plain resources, the h2
stream for that request unnec...CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies
------------------------------------------------------------------
By sending request bodies in a slow loris way to plain resources, the h2
stream for that request unnecessarily occupied a server
thread cleaning up that incoming data. This affects only HTTP/2
connections. A possible mitigation is to not enable the h2 protocol.
### Fixed In Version:
Apache httpd 2.4.38
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2018-17199: mod\_session\_cookie does not respect expiry time
-----------------------------------------------------------------
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod\_session checks
the session expiry time before decoding the session. This causes
session
expiry time to be ignored for mod\_session\_cookie sessions since the
expiry time is loaded when the session is decoded.
### Fixed In Version:
Apache httpd 2.4.38
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
*(from redmine: issue id 9908, created on 2019-01-24, closed on 2019-01-28)*
* Relations:
* parent #9905
* Changesets:
* Revision b49cc47cb0358234399a4dee1ad276828120df5b on 2019-01-25T19:52:24Z:
```
main/apache2: security upgrade to 2.4.38
fixes #9908
```3.7.2Kaarle RitvanenKaarle Ritvanenhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9579[3.7] apache2: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11...2019-07-23T11:19:28ZAlicha CH[3.7] apache2: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large
SETTINGS frames a client can occupy a connection, server thread and CPU
time
without any connection timeout coming to effect. This affects only
HTTP/2 connections. A ...In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large
SETTINGS frames a client can occupy a connection, server thread and CPU
time
without any connection timeout coming to effect. This affects only
HTTP/2 connections. A possible mitigation is to not enable the h2
protocol.
### Fixed in Version:
Apache httpd 2.4.35
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
*(from redmine: issue id 9579, created on 2018-10-25, closed on 2018-10-29)*
* Relations:
* parent #9576
* Changesets:
* Revision ea785d01e00a8c2a6c9b8b35535c5e3e5da1178b by Andy Postnikov on 2018-10-28T13:27:58Z:
```
main/apache2: security upgrade to 2.4.35 (CVE-2018-11763)
fixes #9579
```
* Revision aa79b6b19b8d17276a444f0c17c1c3a3742f3ef8 by Natanael Copa on 2018-10-29T18:26:37Z:
```
main/xorg-server: security upgrade to 1.20.3 (CVE-2018-14665)
fixes #9579
```3.7.2Kaarle RitvanenKaarle Ritvanen