You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2019/04/02 01:50:46 UTC
svn commit: r1856791 -
/httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Author: druggeri
Date: Tue Apr 2 01:50:45 2019
New Revision: 1856791
URL: http://svn.apache.org/viewvc?rev=1856791&view=rev
Log:
Update with latest batch of vulnerabilities
Modified:
httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1856791&r1=1856790&r2=1856791&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Tue Apr 2 01:50:45 2019
@@ -1,4 +1,195 @@
-<security updated="20190122">
+<security updated="20190401">
+<issue reported="20190129" public="20190401">
+ <cve name="CVE-2019-0197"/>
+ <severity level="4">low</severity>
+ <title>mod_http2, possible crash on late upgrade</title>
+ <description>
+ <p>When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for
+ h2 on a https: host, an Upgrade request from http/1.1 to http/2 that
+ was not the first request on a connection could lead to a misconfiguration
+ and crash. A server that never enabled the h2 protocol or that only enabled
+ it for https: and did not configure the "H2Upgrade on" is unaffected by this.
+ </p>
+ </description>
+ <acknowledgements>
+The issue was discovered by Stefan Eissing, greenbytes.de.
+</acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+</issue>
+<issue reported="20190129" public="20190401">
+ <cve name="CVE-2019-0196"/>
+ <severity level="4">low</severity>
+ <title>mod_http2, read-after-free on a string compare</title>
+ <description>
+ <p>Using fuzzed network input, the http/2 request
+ handling could be made to access freed memory in string
+ comparision when determining the method of a request and
+ thus process the request incorrectly.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Craig Young, <vuln-report@secur3.us>.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+</issue>
+<issue reported="20190222" public="20190401">
+ <cve name="CVE-2019-0211"/>
+ <severity level="2">important</severity>
+ <title>Apache HTTP Server privilege escalation from modules' scripts</title>
+ <description>
+ <p>In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM
+ event, worker or prefork, code executing in less-privileged
+ child processes or threads (including scripts executed by an
+ in-process scripting interpreter) could execute arbitrary code
+ with the privileges of the parent process (usually root) by
+ manipulating the scoreboard. Non-Unix systems are not
+ affected.</p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Charles Fol.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+</issue>
+<issue reported="20190129" public="20190401">
+ <cve name="CVE-2019-0217"/>
+
+ <severity level="2">important</severity>
+
+ <title>mod_auth_digest access control bypass</title>
+ <description>
+ <p> In Apache HTTP Server 2.4 release 2.4.38 and prior, a
+ race condition in mod_auth_digest when running in a threaded
+ server could allow a user with valid credentials to authenticate
+ using another username, bypassing configured access control
+ restrictions.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Simon Kappel.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+ <affects prod="httpd" version="2.4.16"/>
+ <affects prod="httpd" version="2.4.12"/>
+ <affects prod="httpd" version="2.4.10"/>
+ <affects prod="httpd" version="2.4.9"/>
+ <affects prod="httpd" version="2.4.7"/>
+ <affects prod="httpd" version="2.4.6"/>
+ <affects prod="httpd" version="2.4.4"/>
+ <affects prod="httpd" version="2.4.3"/>
+ <affects prod="httpd" version="2.4.2"/>
+ <affects prod="httpd" version="2.4.1"/>
+ <affects prod="httpd" version="2.4.0"/>
+</issue>
+<issue reported="20190123" public="20190401">
+ <cve name="CVE-2019-0215"/>
+ <severity level="2">important</severity>
+ <title>mod_ssl access control bypass</title>
+ <description>
+ <p>In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in
+ mod_ssl when using per-location client certificate verification
+ with TLSv1.3 allowed a client supporting Post-Handshake
+ Authentication to bypass configured access control restrictions.</p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Michael Kaufmann.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+</issue>
+<issue reported="20190120" public="20190401">
+ <cve name="CVE-2019-0220"/>
+
+ <severity level="4">low</severity>
+
+ <title>Apache httpd URL normalization inconsistincy</title>
+ <description>
+ <p> When the path component of a request URL contains multiple
+ consecutive slashes ('/'), directives such as LocationMatch
+ and RewriteRule must account for duplicates in regular
+ expressions while other aspects of the servers processing will
+ implicitly collapse them.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+ <affects prod="httpd" version="2.4.16"/>
+ <affects prod="httpd" version="2.4.12"/>
+ <affects prod="httpd" version="2.4.10"/>
+ <affects prod="httpd" version="2.4.9"/>
+ <affects prod="httpd" version="2.4.7"/>
+ <affects prod="httpd" version="2.4.6"/>
+ <affects prod="httpd" version="2.4.4"/>
+ <affects prod="httpd" version="2.4.3"/>
+ <affects prod="httpd" version="2.4.2"/>
+ <affects prod="httpd" version="2.4.1"/>
+ <affects prod="httpd" version="2.4.0"/>
+</issue>
<issue reported="20190101" public="20190122">
<cve name="CVE-2019-0190"/>
<severity level="2">important</severity>