You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2019/01/23 08:17:43 UTC
svn commit: r1039398 - in /websites/staging/httpd/trunk/content: ./
security/vulnerabilities-httpd.xml security/vulnerabilities_24.html
Author: buildbot
Date: Wed Jan 23 08:17:43 2019
New Revision: 1039398
Log:
Staging update by buildbot for httpd
Modified:
websites/staging/httpd/trunk/content/ (props changed)
websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml
websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Wed Jan 23 08:17:43 2019
@@ -1 +1 @@
-1851853
+1851890
Modified: websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml Wed Jan 23 08:17:43 2019
@@ -1,4 +1,95 @@
-<security updated="20180925">
+<security updated="20190122">
+<issue reported="20190101" public="20190122">
+ <cve name="CVE-2019-0190"/>
+ <severity level="2">important</severity>
+ <title>mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1</title>
+ <description>
+ <p>A bug exists in the way mod_ssl handled client renegotiations.
+ A remote attacker could send a carefully crafted request that
+ would cause mod_ssl to enter a loop leading to a denial of
+ service. This bug can be only triggered with Apache HTTP Server
+ version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
+ an interaction in changes to handling of renegotiation attempts.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered through user bug reports.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.38" date=""/>
+ <affects prod="httpd" version="2.4.37"/>
+</issue>
+<issue reported="20181008" public="20190122">
+ <cve name="CVE-2018-17199"/>
+ <severity level="4">low</severity>
+ <title>mod_session_cookie does not respect expiry time</title>
+ <description>
+ <p>In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session
+ checks the session expiry time before decoding the session.
+ This causes session expiry time to be ignored for
+ mod_session_cookie sessions since the expiry time is loaded
+ when the session is decoded.</p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Diego Angulo from ImExHS.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.38" date=""/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+ <affects prod="httpd" version="2.4.16"/>
+ <affects prod="httpd" version="2.4.12"/>
+ <affects prod="httpd" version="2.4.10"/>
+ <affects prod="httpd" version="2.4.9"/>
+ <affects prod="httpd" version="2.4.7"/>
+ <affects prod="httpd" version="2.4.6"/>
+ <affects prod="httpd" version="2.4.4"/>
+ <affects prod="httpd" version="2.4.3"/>
+ <affects prod="httpd" version="2.4.2"/>
+ <affects prod="httpd" version="2.4.1"/>
+ <affects prod="httpd" version="2.4.0"/>
+</issue>
+<issue reported="20181016" public="20190122">
+ <cve name="CVE-2018-17189"/>
+ <severity level="4">low</severity>
+ <title>DoS for HTTP/2 connections via slow request bodies</title>
+ <description>
+ <p>By sending request bodies in a slow loris way to plain
+ resources, the h2 stream for that request unnecessarily
+ occupied a server thread cleaning up that incoming data.
+ This affects only HTTP/2 connections. A possible mitigation
+ is to not enable the h2 protocol.
+</p>
+ </description>
+ <acknowledgements>
+The issue was discovered by Gal Goldshtein of F5 Networks.
+</acknowledgements>
+ <fixed base="2.4" version="2.4.38" date=""/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+</issue>
<issue reported="20180718" public="20180925">
<cve name="CVE-2018-11763"/>
Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_24.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_24.html Wed Jan 23 08:17:43 2019
@@ -107,7 +107,102 @@ the version with a question mark. </p><
in a "-dev" release then this means that a fix has been applied to
the development source tree and will be part of an upcoming full release.</p><p> Please send comments or corrections for
these vulnerabilities to the <a href="/security_report.html">Security
-Team</a>. </p><p><em>The initial GA release, Apache httpd 2.4.1, includes fixes for all vulnerabilities which have been resolved in Apache httpd 2.2.22 and all older releases. Consult the <a href="vulnerabilities_22.html">Apache httpd 2.2 vulnerabilities list</a> for more information.</em></p><br/><h1 id="2.4.35">
+Team</a>. </p><p><em>The initial GA release, Apache httpd 2.4.1, includes fixes for all vulnerabilities which have been resolved in Apache httpd 2.2.22 and all older releases. Consult the <a href="vulnerabilities_22.html">Apache httpd 2.2 vulnerabilities list</a> for more information.</em></p><br/><h1 id="2.4.38">
+Fixed in Apache httpd 2.4.38</h1><dl>
+ <dt>
+ <h3 id="CVE-2019-0190">important:
+ <name name="CVE-2019-0190">mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190">CVE-2019-0190</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>A bug exists in the way mod_ssl handled client renegotiations.
+ A remote attacker could send a carefully crafted request that
+ would cause mod_ssl to enter a loop leading to a denial of
+ service. This bug can be only triggered with Apache HTTP Server
+ version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
+ an interaction in changes to handling of renegotiation attempts.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered through user bug reports.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">1st January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">22nd January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.37</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2018-17199">low:
+ <name name="CVE-2018-17199">mod_session_cookie does not respect expiry time</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199">CVE-2018-17199</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session
+ checks the session expiry time before decoding the session.
+ This causes session expiry time to be ignored for
+ mod_session_cookie sessions since the expiry time is loaded
+ when the session is decoded.</p>
+ <p>Acknowledgements:
+ The issue was discovered by Diego Angulo from ImExHS.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">8th October 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">22nd January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2018-17189">low:
+ <name name="CVE-2018-17189">DoS for HTTP/2 connections via slow request bodies</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189">CVE-2018-17189</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>By sending request bodies in a slow loris way to plain
+ resources, the h2 stream for that request unnecessarily
+ occupied a server thread cleaning up that incoming data.
+ This affects only HTTP/2 connections. A possible mitigation
+ is to not enable the h2 protocol.
+</p>
+ <p>Acknowledgements:
+The issue was discovered by Gal Goldshtein of F5 Networks.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">16th October 2018</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">22nd January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.35">
Fixed in Apache httpd 2.4.35</h1><dl>
<dt>
<h3 id="CVE-2018-11763">low: