[3.8] apache2: Multiple vulnerabilities (CVE-2018-17189, CVE-2018-17199)
CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies
By sending request bodies in a slow loris way to plain resources, the h2
stream for that request unnecessarily occupied a server
thread cleaning up that incoming data. This affects only HTTP/2
connections. A possible mitigation is to not enable the h2 protocol.
Fixed In Version:
Apache httpd 2.4.38
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
CVE-2018-17199: mod_session_cookie does not respect expiry time
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks
the session expiry time before decoding the session. This causes
session
expiry time to be ignored for mod_session_cookie sessions since the
expiry time is loaded when the session is decoded.
Fixed In Version:
Apache httpd 2.4.38
References:
https://httpd.apache.org/security/vulnerabilities\_24.html
(from redmine: issue id 9907, created on 2019-01-24, closed on 2019-01-28)
- Relations:
- parent #9905 (closed)
- Changesets:
- Revision 1d9e0b6c on 2019-01-25T19:42:17Z:
main/apache2: security upgrade to 2.4.38
fixes #9907