[3.7] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199) (#9908) · Issues · alpine / aports

[3.7] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199)

CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies

By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server
thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Fixed In Version:

Apache httpd 2.4.38

References:

https://httpd.apache.org/security/vulnerabilities\_24.html

CVE-2018-17199: mod_session_cookie does not respect expiry time

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session
expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

Fixed In Version:

Apache httpd 2.4.38

References:

https://httpd.apache.org/security/vulnerabilities\_24.html

(from redmine: issue id 9908, created on 2019-01-24, closed on 2019-01-28)

Relations:
- parent #9905 (closed)
Changesets:
- Revision b49cc47c on 2019-01-25T19:52:24Z:

main/apache2: security upgrade to 2.4.38

fixes #9908

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information