Apache HTTP Server 2.4.41 Released
August 14, 2019
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.41 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the n
CVE-2019-10081: mod_http2, memory corruption on early pushes
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.20 to 2.4.39
Description:
HTTP/2 very early pushes, for example configured with "H2PushResource",
could lead to an overwrite of memory in the pus
CVE-2019-10082: mod_http2, read-after-free in h2 connection shutdown
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.18 to 2.4.39
Description:
Using fuzzed network input, the http/2 session
handling could be made to read memory after being freed,
during
CVE-2019-10092: Limited cross-site scripting in mod_proxy
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.0-2.4.39
Description:
A limited cross-site scripting issue was reported affecting
the mod_proxy error page. An attacker could cause the link on
the error
CVE-2019-10097: mod_remoteip stack buffer overflow and NULL pointer dereference
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.32 to 2.4.39
Description:
When mod_remoteip was configured to use a trusted intermediary proxy
server using the "PROXY" protoc
CVE-2019-10098: mod_rewrite configurations vulnerable to open redirect
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.0 to 2.4.39
Description:
Redirects configured with mod_rewrite that were intended to be self-referential
might be fooled by encoded newlines
CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers.
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.20 to 2.4.39
Description:
A malicious client could perform a DoS attack by flooding
a connection with requests and basically never reading resp
