[3.9] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199, CVE-2019-0190)
CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies
By sending request bodies in a slow loris way to plain resources, the h2
stream for that request unnecessarily occupied a server
thread cleaning up that incoming data. This affects only HTTP/2
connections. A possible mitigation is to not enable the h2 protocol.
Fixed In Version:
Apache httpd 2.4.38
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2018-17199: mod_session_cookie does not respect expiry time
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks
the session expiry time before decoding the session. This causes
session
expiry time to be ignored for mod_session_cookie sessions since the
expiry time is loaded when the session is decoded.
Fixed In Version:
Apache httpd 2.4.38
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2019-0190: mod_ssl: remote DoS when used with OpenSSL 1.1.1
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.
Fixed In Version:
Apache httpd 2.4.38
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
https://seclists.org/oss-sec/2019/q1/82
(from redmine: issue id 9906, created on 2019-01-24, closed on 2019-01-28)
- Relations:
- parent #9905 (closed)
- Changesets:
- Revision e82176fd on 2019-01-25T19:34:59Z:
main/apache2: security upgrade to 2.4.38
fixes #9906