aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T11:15:30Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9906[3.9] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199, CVE-...2019-07-23T11:15:30ZAlicha CH[3.9] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199, CVE-2019-0190)CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies
------------------------------------------------------------------
By sending request bodies in a slow loris way to plain resources, the h2
stream for that request unnec...CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies
------------------------------------------------------------------
By sending request bodies in a slow loris way to plain resources, the h2
stream for that request unnecessarily occupied a server
thread cleaning up that incoming data. This affects only HTTP/2
connections. A possible mitigation is to not enable the h2 protocol.
### Fixed In Version:
Apache httpd 2.4.38
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2018-17199: mod\_session\_cookie does not respect expiry time
-----------------------------------------------------------------
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod\_session checks
the session expiry time before decoding the session. This causes
session
expiry time to be ignored for mod\_session\_cookie sessions since the
expiry time is loaded when the session is decoded.
### Fixed In Version:
Apache httpd 2.4.38
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2019-0190: mod\_ssl: remote DoS when used with OpenSSL 1.1.1
----------------------------------------------------------------
A bug exists in the way mod\_ssl handled client renegotiations. A remote
attacker could send a carefully crafted request that would cause
mod\_ssl to enter a loop leading to a denial of service. This bug can be
only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL
version 1.1.1 or later, due to an interaction in changes to handling of
renegotiation attempts.
### Fixed In Version:
Apache httpd 2.4.38
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
https://seclists.org/oss-sec/2019/q1/82
*(from redmine: issue id 9906, created on 2019-01-24, closed on 2019-01-28)*
* Relations:
* parent #9905
* Changesets:
* Revision e82176fd8bf8ac0c0089a9b3daedcd2c52dafea3 on 2019-01-25T19:34:59Z:
```
main/apache2: security upgrade to 2.4.38
fixes #9906
```3.9.0Kaarle RitvanenKaarle Ritvanenhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9577[3.9] apache2: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11...2019-07-23T11:19:30ZAlicha CH[3.9] apache2: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large
SETTINGS frames a client can occupy a connection, server thread and CPU
time
without any connection timeout coming to effect. This affects only
HTTP/2 connections. A ...In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large
SETTINGS frames a client can occupy a connection, server thread and CPU
time
without any connection timeout coming to effect. This affects only
HTTP/2 connections. A possible mitigation is to not enable the h2
protocol.
### Fixed in Version:
Apache httpd 2.4.35
### References:
https://httpd.apache.org/security/vulnerabilities\_24.html
*(from redmine: issue id 9577, created on 2018-10-25, closed on 2018-10-29)*
* Relations:
* parent #9576
* Changesets:
* Revision f6d1356e6015d7539e9c147abbd2e13d4e2e0251 by Andy Postnikov on 2018-10-25T10:07:45Z:
```
main/apache2: security upgrade to 2.4.35 (CVE-2018-11763)
fixes #9577
```3.9.0Kaarle RitvanenKaarle Ritvanen