DSA-4422-1 apache2 -- apache2ID: oval:org.secpod.oval:def:603841 | Date: (C)2019-04-05 (M)2024-05-06 |
Class: PATCH | Family: unix |
Several vulnerabilities have been found in the Apache HTTP server. CVE-2018-17189 Gal Goldshtein of F5 Networks discovered a denial of service vulnerability in mod_http2. By sending malformed requests, the http/2 stream for that request unnecessarily occupied a server thread cleaning up incoming data, resulting in denial of service. CVE-2018-17199 Diego Angulo from ImExHS discovered that mod_session_cookie does not respect expiry time. CVE-2019-0196 Craig Young discovered that the http/2 request handling in mod_http2 could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly. CVE-2019-0211 Charles Fol discovered a privilege escalation from the less-privileged child process to the parent process running as root. CVE-2019-0217 A race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. The issue was discovered by Simon Kappel. CVE-2019-0220 Bernhard Lorenz of Alpha Strike Labs GmbH reported that URL normalizations were inconsistently handled. When the path component of a request URL contains multiple consecutive slashes , directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.