Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 649
    • Issues 649
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 201
    • Merge Requests 201
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #9908

Closed
Open
Opened Jan 24, 2019 by Alicha CH@alichaReporter

[3.7] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199)

CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies

By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server
thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Fixed In Version:

Apache httpd 2.4.38

References:

https://httpd.apache.org/security/vulnerabilities\_24.html

CVE-2018-17199: mod_session_cookie does not respect expiry time

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session
expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

Fixed In Version:

Apache httpd 2.4.38

References:

https://httpd.apache.org/security/vulnerabilities\_24.html

(from redmine: issue id 9908, created on 2019-01-24, closed on 2019-01-28)

  • Relations:
    • parent #9905 (closed)
  • Changesets:
    • Revision b49cc47c on 2019-01-25T19:52:24Z:
main/apache2: security upgrade to 2.4.38

fixes #9908
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.7.2
Milestone
3.7.2
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#9908