[3.7] apache2: Multiple vulnerabilities (CVE-2019-0196, CVE-2019-0197, CVE-2019-0211, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220)
CVE-2019-0196: mod_http2, read-after-free on a string compare
Using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly.
Versions Affected:
httpd 2.4.17 to 2.4.38
Fixed In Version:
Apache httpd 2.4.39
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2019-0197: mod_http2, possible crash on late upgrade
When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for
h2
on a https: host, an Upgrade request from http/1.1 to http/2 that was
not the first request on a connection could lead to a misconfiguration
and crash. Servers that never enabled the h2 protocol or only enabled
it
for https: and did not set“H2Upgrade on” are unaffected by this issue.
Versions Affected:
httpd 2.4.34 to 2.4.38
Fixed In Version:
Apache httpd 2.4.39
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
https://www.openwall.com/lists/oss-security/2019/04/02/2
CVE-2019-0211: Apache HTTP Server privilege escalation from modules’ scripts
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event,
worker or prefork, code executing in less-privileged child processes
or threads (including scripts executed by an in-process scripting
interpreter) could execute arbitrary code with the privileges of the
parent process (usually root) by manipulating the scoreboard. Non-Unix
systems are not affected.
Fixed In Version:
Apache httpd 2.4.39
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
https://www.openwall.com/lists/oss-security/2019/04/02/3
CVE-2019-0215: mod_ssl access control bypass
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a
bug in mod_ssl when using per-location client certificate
verification with TLSv1.3 allowed a client to bypass
configured access control restrictions.
Fixed In Version:
Apache httpd 2.4.39
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
https://www.openwall.com/lists/oss-security/2019/04/02/4
CVE-2019-0217: mod_auth_digest access control bypass
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition
in mod_auth_digest when running in a threaded server could allow a
user with valid credentials to authenticate using another username,
bypassing configured access control restrictions.
Fixed In Version:
Apache httpd 2.4.39
References:
https://www.openwall.com/lists/oss-security/2019/04/02/5
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2019-0220: URL normalization inconsistincies
When the path component of a request URL contains multiple consecutive
slashes
(‘/’), directives such as LocationMatch and RewriteRule must account
for
duplicates in regular expressions while other aspects of the servers
processing
will implicitly collapse them.
Versions Affected:
httpd 2.4.0 to 2.4.38
Fixed In Version:
Apache httpd 2.4.39
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
(from redmine: issue id 10189, created on 2019-04-02, closed on 2019-04-04)
- Relations:
- parent #10185 (closed)
- Changesets:
- Revision 721147d3 on 2019-04-03T15:48:11Z:
main/apache2: security upgrade to 2.4.39
fixes #10189