You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2019/08/15 05:59:42 UTC
svn commit: r1865203 -
/httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Author: mjc
Date: Thu Aug 15 05:59:42 2019
New Revision: 1865203
URL: http://svn.apache.org/viewvc?rev=1865203&view=rev
Log:
Merge new vulnerability info
Modified:
httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1865203&r1=1865202&r2=1865203&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Thu Aug 15 05:59:42 2019
@@ -1,4 +1,214 @@
-<security updated="20190401">
+<security updated="20190814">
+<issue reported="20190412" public="20190814">
+ <cve name="CVE-2019-10082"/>
+ <severity level="3">moderate</severity>
+ <title>mod_http2, read-after-free in h2 connection shutdown</title>
+ <description>
+ <p>Using fuzzed network input, the http/2 session
+ handling could be made to read memory after being freed,
+ during connection shutdown.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Craig Young of Tripwire VERT, <vuln-report@secur3.us>.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.40" date="20190814"/>
+ <affects prod="httpd" version="2.4.39"/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.32"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+</issue>
+
+<issue reported="20190410" public="20190814">
+ <cve name="CVE-2019-10081"/>
+ <severity level="3">moderate</severity>
+ <title>mod_http2, memory corruption on early pushes</title>
+ <description>
+ <p>
+ HTTP/2 very early pushes, for example configured with "H2PushResource",
+ could lead to an overwrite of memory in the pushing request's pool,
+ leading to crashes. The memory copied is that of the configured push
+ link header values, not data supplied by the client.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Craig Young of Tripwire VERT, <vuln-report@secur3.us>.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.40" date="20190814"/>
+ <affects prod="httpd" version="2.4.39"/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.32"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+</issue>
+<issue reported="20190709" public="20190814">
+ <cve name="CVE-2019-10092"/>
+
+ <severity level="4">low</severity>
+
+ <title>Limited cross-site scripting in mod_proxy error page</title>
+ <description>
+ <p> A limited cross-site scripting issue was reported affecting
+ the mod_proxy error page. An attacker could cause the link on
+ the error page to be malfomed and instead point to a page of
+ their choice. This would only be exploitable where a server was
+ set up with proxying enabled but was misconfigured in such a way
+ that the Proxy Error page was displayed.</p>
+ <p>We have taken this opportunity to also remove request data
+ from many other in-built error messages. Note however this issue
+ did not affect them directly and their output was already escaped
+ to prevent cross-site scripting attacks.
+ </description>
+ <acknowledgements>
+ This issue was reported by Matei "Mal" Badanoiu
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.40" date="20190814"/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+ <affects prod="httpd" version="2.4.16"/>
+ <affects prod="httpd" version="2.4.12"/>
+ <affects prod="httpd" version="2.4.10"/>
+ <affects prod="httpd" version="2.4.9"/>
+ <affects prod="httpd" version="2.4.7"/>
+ <affects prod="httpd" version="2.4.6"/>
+ <affects prod="httpd" version="2.4.4"/>
+ <affects prod="httpd" version="2.4.3"/>
+ <affects prod="httpd" version="2.4.2"/>
+ <affects prod="httpd" version="2.4.1"/>
+ <affects prod="httpd" version="2.4.0"/>
+</issue>
+<issue reported="20190410" public="20190814">
+ <cve name="CVE-2019-9517"/>
+ <severity level="3">moderate</severity>
+ <title>mod_http2, DoS attack by exhausting h2 workers.</title>
+ <description>
+ <p>
+ A malicious client could perform a DoS attack by flooding
+ a connection with requests and basically never reading responses
+ on the TCP connection. Depending on h2 worker dimensioning, it was
+ possible to block those with relatively few connections.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Jonathan Looney of Netflix.
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.40" date="20190814"/>
+ <affects prod="httpd" version="2.4.39"/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.32"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+</issue>
+<issue reported="20190723" public="20190814">
+ <cve name="CVE-2019-10097"/>
+
+ <severity level="3">moderate</severity>
+
+ <title>CVE-2019-10097 mod_remoteip: Stack buffer overflow and NULL pointer dereference</title>
+ <description>
+ <p>When mod_remoteip was configured to use a trusted intermediary proxy
+server using the "PROXY" protocol, a specially crafted PROXY header
+could trigger a stack buffer overflow or NULL pointer deference.
+This vulnerability could only be triggered by a trusted proxy and not
+by untrusted HTTP clients.</p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Daniel McCarney <cpu@letsencrypt.org> Let's Encrypt / Internet Security Research Group (ISRG)@FIXME
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.41" date="20190814"/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+</issue>
+<issue reported="20190326" public="20190814">
+ <cve name="CVE-2019-10098"/>
+
+ <severity level="4">low</severity>
+
+ <title>mod_rewrite potential open redirect</title>
+ <description>
+ <p>
+Redirects configured with mod_rewrite that were intended to be self-referential
+might be fooled by encoded newlines and redirect instead to an an unexpected
+URL within the request URL.
+ </p>
+ </description>
+ <acknowledgements>
+ The issue was discovered by Yukitsugu Sasaki
+ </acknowledgements>
+ <fixed base="2.4" version="2.4.40FIXME" date="20190814"/>
+ <affects prod="httpd" version="2.4.39"/>
+ <affects prod="httpd" version="2.4.38"/>
+ <affects prod="httpd" version="2.4.37"/>
+ <affects prod="httpd" version="2.4.35"/>
+ <affects prod="httpd" version="2.4.34"/>
+ <affects prod="httpd" version="2.4.33"/>
+ <affects prod="httpd" version="2.4.30"/>
+ <affects prod="httpd" version="2.4.29"/>
+ <affects prod="httpd" version="2.4.28"/>
+ <affects prod="httpd" version="2.4.27"/>
+ <affects prod="httpd" version="2.4.26"/>
+ <affects prod="httpd" version="2.4.25"/>
+ <affects prod="httpd" version="2.4.23"/>
+ <affects prod="httpd" version="2.4.20"/>
+ <affects prod="httpd" version="2.4.18"/>
+ <affects prod="httpd" version="2.4.17"/>
+ <affects prod="httpd" version="2.4.16"/>
+ <affects prod="httpd" version="2.4.12"/>
+ <affects prod="httpd" version="2.4.10"/>
+ <affects prod="httpd" version="2.4.9"/>
+ <affects prod="httpd" version="2.4.7"/>
+ <affects prod="httpd" version="2.4.6"/>
+ <affects prod="httpd" version="2.4.4"/>
+ <affects prod="httpd" version="2.4.3"/>
+ <affects prod="httpd" version="2.4.2"/>
+ <affects prod="httpd" version="2.4.1"/>
+ <affects prod="httpd" version="2.4.0"/>
+</issue>
<issue reported="20190129" public="20190401">
<cve name="CVE-2019-0197"/>
<severity level="4">low</severity>