You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2019/04/02 01:50:46 UTC

svn commit: r1856791 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Author: druggeri
Date: Tue Apr  2 01:50:45 2019
New Revision: 1856791

URL: http://svn.apache.org/viewvc?rev=1856791&view=rev
Log:
Update with latest batch of vulnerabilities

Modified:
    httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1856791&r1=1856790&r2=1856791&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Tue Apr  2 01:50:45 2019
@@ -1,4 +1,195 @@
-<security updated="20190122">  
+<security updated="20190401">  
+<issue reported="20190129" public="20190401">
+   <cve name="CVE-2019-0197"/>
+   <severity level="4">low</severity>
+   <title>mod_http2, possible crash on late upgrade</title>
+   <description>
+      <p>When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for
+         h2 on a https: host, an Upgrade request from http/1.1 to http/2 that
+         was not the first request on a connection could lead to a misconfiguration
+         and crash. A server that never enabled the h2 protocol or that only enabled
+         it for https: and did not configure the "H2Upgrade on" is unaffected by this.
+      </p>
+   </description>
+   <acknowledgements>
+The issue was discovered by Stefan Eissing, greenbytes.de.
+</acknowledgements>
+   <fixed base="2.4" version="2.4.39" date=""/>
+   <affects prod="httpd" version="2.4.38"/>
+   <affects prod="httpd" version="2.4.37"/>
+   <affects prod="httpd" version="2.4.35"/>
+   <affects prod="httpd" version="2.4.34"/>
+</issue>
+<issue reported="20190129" public="20190401">
+   <cve name="CVE-2019-0196"/>
+   <severity level="4">low</severity>
+   <title>mod_http2, read-after-free on a string compare</title>
+   <description>
+      <p>Using fuzzed network input, the http/2 request
+          handling could be made to access freed memory in string
+          comparision when determining the method of a request and
+          thus process the request incorrectly.
+      </p>
+   </description>
+   <acknowledgements>
+       The issue was discovered by Craig Young, &lt;vuln-report@secur3.us>.
+   </acknowledgements>
+   <fixed base="2.4" version="2.4.39" date=""/>
+   <affects prod="httpd" version="2.4.38"/>
+   <affects prod="httpd" version="2.4.37"/>
+   <affects prod="httpd" version="2.4.35"/>
+   <affects prod="httpd" version="2.4.34"/>
+   <affects prod="httpd" version="2.4.33"/>
+   <affects prod="httpd" version="2.4.30"/>
+   <affects prod="httpd" version="2.4.29"/>
+   <affects prod="httpd" version="2.4.28"/>
+   <affects prod="httpd" version="2.4.27"/>
+   <affects prod="httpd" version="2.4.26"/>
+   <affects prod="httpd" version="2.4.25"/>
+   <affects prod="httpd" version="2.4.23"/>
+   <affects prod="httpd" version="2.4.20"/>
+   <affects prod="httpd" version="2.4.18"/>
+</issue>
+<issue reported="20190222" public="20190401">
+   <cve name="CVE-2019-0211"/>
+   <severity level="2">important</severity>
+   <title>Apache HTTP Server privilege escalation from modules' scripts</title>
+   <description>
+      <p>In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM
+      event, worker or prefork, code executing in less-privileged
+      child processes or threads (including scripts executed by an
+      in-process scripting interpreter) could execute arbitrary code
+      with the privileges of the parent process (usually root) by
+      manipulating the scoreboard. Non-Unix systems are not
+      affected.</p>
+   </description>
+   <acknowledgements>
+       The issue was discovered by Charles Fol.
+   </acknowledgements>
+   <fixed base="2.4" version="2.4.39" date=""/>
+   <affects prod="httpd" version="2.4.38"/>
+   <affects prod="httpd" version="2.4.37"/>
+   <affects prod="httpd" version="2.4.35"/>
+   <affects prod="httpd" version="2.4.34"/>
+   <affects prod="httpd" version="2.4.33"/>
+   <affects prod="httpd" version="2.4.30"/>
+   <affects prod="httpd" version="2.4.29"/>
+   <affects prod="httpd" version="2.4.28"/>
+   <affects prod="httpd" version="2.4.27"/>
+   <affects prod="httpd" version="2.4.26"/>
+   <affects prod="httpd" version="2.4.25"/>
+   <affects prod="httpd" version="2.4.23"/>
+   <affects prod="httpd" version="2.4.20"/>
+   <affects prod="httpd" version="2.4.18"/>
+   <affects prod="httpd" version="2.4.17"/>
+</issue>
+<issue reported="20190129" public="20190401">
+   <cve name="CVE-2019-0217"/>
+
+   <severity level="2">important</severity>
+
+   <title>mod_auth_digest access control bypass</title>
+   <description>
+      <p> In Apache HTTP Server 2.4 release 2.4.38 and prior, a
+          race condition in mod_auth_digest when running in a threaded
+          server could allow a user with valid credentials to authenticate
+          using another username, bypassing configured access control
+          restrictions.
+      </p>
+   </description>
+   <acknowledgements>
+   The issue was discovered by Simon Kappel.
+   </acknowledgements>
+   <fixed base="2.4" version="2.4.39" date=""/>
+   <affects prod="httpd" version="2.4.38"/>
+   <affects prod="httpd" version="2.4.37"/>
+   <affects prod="httpd" version="2.4.35"/>
+   <affects prod="httpd" version="2.4.34"/>
+   <affects prod="httpd" version="2.4.33"/>
+   <affects prod="httpd" version="2.4.30"/>
+   <affects prod="httpd" version="2.4.29"/>
+   <affects prod="httpd" version="2.4.28"/>
+   <affects prod="httpd" version="2.4.27"/>
+   <affects prod="httpd" version="2.4.26"/>
+   <affects prod="httpd" version="2.4.25"/>
+   <affects prod="httpd" version="2.4.23"/>
+   <affects prod="httpd" version="2.4.20"/>
+   <affects prod="httpd" version="2.4.18"/>
+   <affects prod="httpd" version="2.4.17"/>
+   <affects prod="httpd" version="2.4.16"/>
+   <affects prod="httpd" version="2.4.12"/>
+   <affects prod="httpd" version="2.4.10"/>
+   <affects prod="httpd" version="2.4.9"/>
+   <affects prod="httpd" version="2.4.7"/>
+   <affects prod="httpd" version="2.4.6"/>
+   <affects prod="httpd" version="2.4.4"/>
+   <affects prod="httpd" version="2.4.3"/>
+   <affects prod="httpd" version="2.4.2"/>
+   <affects prod="httpd" version="2.4.1"/>
+   <affects prod="httpd" version="2.4.0"/>
+</issue>
+<issue reported="20190123" public="20190401">
+   <cve name="CVE-2019-0215"/>
+   <severity level="2">important</severity>
+   <title>mod_ssl access control bypass</title>
+   <description>
+     <p>In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in
+     mod_ssl when using per-location client certificate verification
+     with TLSv1.3 allowed a client supporting Post-Handshake
+     Authentication to bypass configured access control restrictions.</p>
+   </description>
+   <acknowledgements>
+     The issue was discovered by Michael Kaufmann.
+   </acknowledgements>
+   <fixed base="2.4" version="2.4.39" date=""/>
+   <affects prod="httpd" version="2.4.38"/>
+   <affects prod="httpd" version="2.4.37"/>
+</issue>
+<issue reported="20190120" public="20190401">
+   <cve name="CVE-2019-0220"/>
+
+   <severity level="4">low</severity>
+
+   <title>Apache httpd URL normalization inconsistincy</title>
+   <description>
+      <p> When the path component of a request URL contains multiple
+          consecutive slashes ('/'), directives such as LocationMatch
+          and RewriteRule must account for duplicates in regular
+          expressions while other aspects of the servers processing will
+          implicitly collapse them.
+      </p>
+   </description>
+   <acknowledgements>
+   The issue was discovered by Bernhard Lorenz &lt;bernhard.lorenz@alphastrike.io&gt; of Alpha Strike Labs GmbH.
+   </acknowledgements>
+   <fixed base="2.4" version="2.4.39" date=""/>
+   <affects prod="httpd" version="2.4.38"/>
+   <affects prod="httpd" version="2.4.37"/>
+   <affects prod="httpd" version="2.4.35"/>
+   <affects prod="httpd" version="2.4.34"/>
+   <affects prod="httpd" version="2.4.33"/>
+   <affects prod="httpd" version="2.4.30"/>
+   <affects prod="httpd" version="2.4.29"/>
+   <affects prod="httpd" version="2.4.28"/>
+   <affects prod="httpd" version="2.4.27"/>
+   <affects prod="httpd" version="2.4.26"/>
+   <affects prod="httpd" version="2.4.25"/>
+   <affects prod="httpd" version="2.4.23"/>
+   <affects prod="httpd" version="2.4.20"/>
+   <affects prod="httpd" version="2.4.18"/>
+   <affects prod="httpd" version="2.4.17"/>
+   <affects prod="httpd" version="2.4.16"/>
+   <affects prod="httpd" version="2.4.12"/>
+   <affects prod="httpd" version="2.4.10"/>
+   <affects prod="httpd" version="2.4.9"/>
+   <affects prod="httpd" version="2.4.7"/>
+   <affects prod="httpd" version="2.4.6"/>
+   <affects prod="httpd" version="2.4.4"/>
+   <affects prod="httpd" version="2.4.3"/>
+   <affects prod="httpd" version="2.4.2"/>
+   <affects prod="httpd" version="2.4.1"/>
+   <affects prod="httpd" version="2.4.0"/>
+</issue>
 <issue reported="20190101" public="20190122">
    <cve name="CVE-2019-0190"/>
    <severity level="2">important</severity>