You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2019/04/02 01:50:56 UTC
svn commit: r1043019 - in /websites/staging/httpd/trunk/content: ./
security/vulnerabilities-httpd.xml security/vulnerabilities_24.html
Author: buildbot
Date: Tue Apr 2 01:50:56 2019
New Revision: 1043019
Log:
Staging update by buildbot for httpd
Modified:
websites/staging/httpd/trunk/content/ (props changed)
websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml
websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Apr 2 01:50:56 2019
@@ -1 +1 @@
-1856788
+1856791
Modified: websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities-httpd.xml Tue Apr 2 01:50:56 2019
@@ -1,4 +1,195 @@
-<security updated="20190122">
+<security updated="20190401">
+<issue reported="20190129" public="20190401">
+ <cve name="CVE-2019-0197"/>
+ <severity level="4">low</severity>
+ <title>mod_http2, possible crash on late upgrade</title>
+ <description>
+ <p>When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for
+ h2 on a https: host, an Upgrade request from http/1.1 to http/2 that
+ was not the first request on a connection could lead to a misconfiguration
+ and crash. A server that never enabled the h2 protocol or that only enabled
+ it for https: and did not configure the "H2Upgrade on" is unaffected by this.
+ </p>
+ </description>
+ <acknowledgements>
+The issue was discovered by Stefan Eissing, greenbytes.de.
+</acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+</issue>
+<issue reported="20190129" public="20190401">
+ <cve name="CVE-2019-0196"/>
+ <severity level="4">low</severity>
+ <title>mod_http2, read-after-free on a string compare</title>
+ <description>
+ <p>Using fuzzed network input, the http/2 request
+ handling could be made to access freed memory in string
+ comparision when determining the method of a request and
+ thus process the request incorrectly.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Craig Young, <vuln-report@secur3.us>.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+</issue>
+<issue reported="20190222" public="20190401">
+ <cve name="CVE-2019-0211"/>
+ <severity level="2">important</severity>
+ <title>Apache HTTP Server privilege escalation from modules' scripts</title>
+ <description>
+ <p>In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM
+ event, worker or prefork, code executing in less-privileged
+ child processes or threads (including scripts executed by an
+ in-process scripting interpreter) could execute arbitrary code
+ with the privileges of the parent process (usually root) by
+ manipulating the scoreboard. Non-Unix systems are not
+ affected.</p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Charles Fol.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+</issue>
+<issue reported="20190129" public="20190401">
+ <cve name="CVE-2019-0217"/>
+
+ <severity level="2">important</severity>
+
+ <title>mod_auth_digest access control bypass</title>
+ <description>
+ <p> In Apache HTTP Server 2.4 release 2.4.38 and prior, a
+ race condition in mod_auth_digest when running in a threaded
+ server could allow a user with valid credentials to authenticate
+ using another username, bypassing configured access control
+ restrictions.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Simon Kappel.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+ <affects prod="httpd" version="2.4.16"/>
+ <affects prod="httpd" version="2.4.12"/>
+ <affects prod="httpd" version="2.4.10"/>
+ <affects prod="httpd" version="2.4.9"/>
+ <affects prod="httpd" version="2.4.7"/>
+ <affects prod="httpd" version="2.4.6"/>
+ <affects prod="httpd" version="2.4.4"/>
+ <affects prod="httpd" version="2.4.3"/>
+ <affects prod="httpd" version="2.4.2"/>
+ <affects prod="httpd" version="2.4.1"/>
+ <affects prod="httpd" version="2.4.0"/>
+</issue>
+<issue reported="20190123" public="20190401">
+ <cve name="CVE-2019-0215"/>
+ <severity level="2">important</severity>
+ <title>mod_ssl access control bypass</title>
+ <description>
+ <p>In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in
+ mod_ssl when using per-location client certificate verification
+ with TLSv1.3 allowed a client supporting Post-Handshake
+ Authentication to bypass configured access control restrictions.</p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Michael Kaufmann.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+</issue>
+<issue reported="20190120" public="20190401">
+ <cve name="CVE-2019-0220"/>
+
+ <severity level="4">low</severity>
+
+ <title>Apache httpd URL normalization inconsistincy</title>
+ <description>
+ <p> When the path component of a request URL contains multiple
+ consecutive slashes ('/'), directives such as LocationMatch
+ and RewriteRule must account for duplicates in regular
+ expressions while other aspects of the servers processing will
+ implicitly collapse them.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.39" date=""/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+ <affects prod="httpd" version="2.4.16"/>
+ <affects prod="httpd" version="2.4.12"/>
+ <affects prod="httpd" version="2.4.10"/>
+ <affects prod="httpd" version="2.4.9"/>
+ <affects prod="httpd" version="2.4.7"/>
+ <affects prod="httpd" version="2.4.6"/>
+ <affects prod="httpd" version="2.4.4"/>
+ <affects prod="httpd" version="2.4.3"/>
+ <affects prod="httpd" version="2.4.2"/>
+ <affects prod="httpd" version="2.4.1"/>
+ <affects prod="httpd" version="2.4.0"/>
+</issue>
<issue reported="20190101" public="20190122">
<cve name="CVE-2019-0190"/>
<severity level="2">important</severity>
Modified: websites/staging/httpd/trunk/content/security/vulnerabilities_24.html
==============================================================================
--- websites/staging/httpd/trunk/content/security/vulnerabilities_24.html (original)
+++ websites/staging/httpd/trunk/content/security/vulnerabilities_24.html Tue Apr 2 01:50:56 2019
@@ -107,7 +107,193 @@ the version with a question mark. </p><
in a "-dev" release then this means that a fix has been applied to
the development source tree and will be part of an upcoming full release.</p><p> Please send comments or corrections for
these vulnerabilities to the <a href="/security_report.html">Security
-Team</a>. </p><p><em>The initial GA release, Apache httpd 2.4.1, includes fixes for all vulnerabilities which have been resolved in Apache httpd 2.2.22 and all older releases. Consult the <a href="vulnerabilities_22.html">Apache httpd 2.2 vulnerabilities list</a> for more information.</em></p><br/><h1 id="2.4.38">
+Team</a>. </p><p><em>The initial GA release, Apache httpd 2.4.1, includes fixes for all vulnerabilities which have been resolved in Apache httpd 2.2.22 and all older releases. Consult the <a href="vulnerabilities_22.html">Apache httpd 2.2 vulnerabilities list</a> for more information.</em></p><br/><h1 id="2.4.39">
+Fixed in Apache httpd 2.4.39</h1><dl>
+ <dt>
+ <h3 id="CVE-2019-0211">important:
+ <name name="CVE-2019-0211">Apache HTTP Server privilege escalation from modules' scripts</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211">CVE-2019-0211</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM
+ event, worker or prefork, code executing in less-privileged
+ child processes or threads (including scripts executed by an
+ in-process scripting interpreter) could execute arbitrary code
+ with the privileges of the parent process (usually root) by
+ manipulating the scoreboard. Non-Unix systems are not
+ affected.</p>
+ <p>Acknowledgements:
+ The issue was discovered by Charles Fol.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">22nd February 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-0217">important:
+ <name name="CVE-2019-0217">mod_auth_digest access control bypass</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0217">CVE-2019-0217</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p> In Apache HTTP Server 2.4 release 2.4.38 and prior, a
+ race condition in mod_auth_digest when running in a threaded
+ server could allow a user with valid credentials to authenticate
+ using another username, bypassing configured access control
+ restrictions.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered by Simon Kappel.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">29th January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-0215">important:
+ <name name="CVE-2019-0215">mod_ssl access control bypass</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0215">CVE-2019-0215</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in
+ mod_ssl when using per-location client certificate verification
+ with TLSv1.3 allowed a client supporting Post-Handshake
+ Authentication to bypass configured access control restrictions.</p>
+ <p>Acknowledgements:
+ The issue was discovered by Michael Kaufmann.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">23rd January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-0197">low:
+ <name name="CVE-2019-0197">mod_http2, possible crash on late upgrade</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0197">CVE-2019-0197</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for
+ h2 on a https: host, an Upgrade request from http/1.1 to http/2 that
+ was not the first request on a connection could lead to a misconfiguration
+ and crash. A server that never enabled the h2 protocol or that only enabled
+ it for https: and did not configure the "H2Upgrade on" is unaffected by this.
+ </p>
+ <p>Acknowledgements:
+The issue was discovered by Stefan Eissing, greenbytes.de.
+</p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">29th January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-0196">low:
+ <name name="CVE-2019-0196">mod_http2, read-after-free on a string compare</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0196">CVE-2019-0196</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p>Using fuzzed network input, the http/2 request
+ handling could be made to access freed memory in string
+ comparision when determining the method of a request and
+ thus process the request incorrectly.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered by Craig Young, <vuln-report@secur3.us>.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">29th January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18</td>
+ </tr>
+ </table>
+ </dd>
+ <dt>
+ <h3 id="CVE-2019-0220">low:
+ <name name="CVE-2019-0220">Apache httpd URL normalization inconsistincy</name>
+ (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0220">CVE-2019-0220</a>)
+ </h3>
+ </dt>
+ <dd>
+ <p> When the path component of a request URL contains multiple
+ consecutive slashes ('/'), directives such as LocationMatch
+ and RewriteRule must account for duplicates in regular
+ expressions while other aspects of the servers processing will
+ implicitly collapse them.
+ </p>
+ <p>Acknowledgements:
+ The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH.
+ </p>
+ <table class="cve">
+ <tr>
+ <td class="cve-header">Reported to security team</td>
+ <td class="cve-value">20th January 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Issue public</td>
+ <td class="cve-value">1st April 2019</td>
+ </tr>
+ <tr>
+ <td class="cve-header">Affects</td>
+ <td class="cve-value">2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0</td>
+ </tr>
+ </table>
+ </dd>
+</dl><br/><h1 id="2.4.38">
Fixed in Apache httpd 2.4.38</h1><dl>
<dt>
<h3 id="CVE-2019-0190">important: