#11576: httpd-2.4.38
-------------------------+---------------------
Reporter: renodr | Owner: bdubbs
Type: enhancement | Status: closed
Priority: high | Milestone: 8.4
Component: BOOK | Version: SVN
Severity: normal | Resolution: fixed
Keywords: |
-------------------------+---------------------
Changes (by renodr):
* priority: normal => high
Comment:
{{{
CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.37
Description:
A bug exists in the way mod_ssl handled client renegotiations.
A remote attacker could send a carefully crafted request that
would cause mod_ssl to enter a loop leading to a denial of
service. This bug can be only triggered with Apache HTTP Server
version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
an interaction in changes to handling of renegotiation attempts.
Mitigation:
All httpd users consuming mod_ssl combined with OpenSSL 1.1.1 or later
should upgrade to 2.4.38 or later.
Credit:
The issue was identified through user bug reports.
References:
https://httpd.apache.org/security/vulnerabilities_24.html
}}}
{{{
CVE-2018-17199: mod_session_cookie does not respect expiry time
Severity: low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.0 to 2.4.37
Description:
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session
checks the session expiry time before decoding the session.
This causes session expiry time to be ignored for
mod_session_cookie sessions since the expiry time is loaded
when the session is decoded.
Mitigation:
All httpd users deploying mod_session should upgrade to 2.4.38 or later.
Credit:
The issue was discovered by Diego Angulo from ImExHS.
References:
https://httpd.apache.org/security/vulnerabilities_24.html
}}}
{{{
CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.17 to 2.4.37
Description:
By sending request bodies in a slow loris way to plain
resources, the h2 stream for that request unnecessarily
occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 (mod_http2) connections in
Apache HTTP Server versions 2.4.37 and prior.
Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.38 or later.
Credit:
The issue was discovered by Gal Goldshtein of F5 Networks.
References:
https://httpd.apache.org/security/vulnerabilities_24.html
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/11576#comment:4>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
