Project

General

Profile

Bug #9907

Bug #9905: apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199, CVE-2019-0190)

[3.8] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199)

Added by Alicha CH 3 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
Start date:
01/24/2019
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:
CVE-2018-17189, CVE-2018-17199

Description

CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies

By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server
thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Fixed In Version:

Apache httpd 2.4.38

References:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2018-17199: mod_session_cookie does not respect expiry time

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session
expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

Fixed In Version:

Apache httpd 2.4.38

References:

https://httpd.apache.org/security/vulnerabilities_24.html

Associated revisions

Revision 1d9e0b6c (diff)
Added by J0WI 3 months ago

main/apache2: security upgrade to 2.4.38

fixes #9907

History

#1 Updated by Anonymous 3 months ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Alicha CH 3 months ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF