[Bug 1840188] Re: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
This bug was fixed in the package apache2 - 2.4.38-2ubuntu2.2 --- apache2 (2.4.38-2ubuntu2.2) disco-security; urgency=medium * SECURITY UPDATE: HTTP/2 internal data buffering denial of service. - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve http/2 module keepalive throttling. - CVE-2019-9517 * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash denial of service (LP: #1840188) - d/p/mod_http2-1.14.1-backport-0001-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch: re-use slave connections and fix slave connection keepalives counter. - CVE-2019-0197 * SECURITY UPDATE: mod_http2 memory corruption on early pushes - included in mod_http2 1.15.4 backport - CVE-2019-10081 * SECURITY UPDATE: read-after-free in mod_http2 h2 connection shutdown. - included in mod_http2 1.15.4 backport - CVE-2019-10082 * SECURITY UPDATE: mod_remoteip: Stack buffer overflow and NULL pointer dereference. - d/p/CVE-2019-10097.patch: add better sanity checks. - CVE-2019-10097 * SECURITY UPDATE: Limited cross-site scripting in mod_proxy error page. - d/p/CVE-2019-10092-1.patch: Remove request details from built-in error documents. - d/p/CVE-2019-10092-2.patch: Add missing log numbers. - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS protection. - CVE-2019-10092-1 * SECURITY UPDATE: mod_rewrite potential open redirect - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default. - CVE-2019-10098 * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517, CVE-2019-10081, and CVE-2019-10082 fixes: - add d/p/mod_http2-1.14.1-backport-*.patches and d/p/mod_http2-1.15.4-backport-*.patches -- Steve Beattie Mon, 26 Aug 2019 06:31:40 -0700 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840188 Title: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1840188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840188] Re: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.10 --- apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium * SECURITY UPDATE: HTTP/2 internal data buffering denial of service. - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve http/2 module keepalive throttling. - CVE-2019-9517 * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash denial of service (LP: #1840188) - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch: re-use slave connections and fix slave connection keepalives counter. - CVE-2019-0197 * SECURITY UPDATE: mod_http2 memory corruption on early pushes - included in mod_http2 1.15.4 backport - CVE-2019-10081 * SECURITY UPDATE: read-after-free in mod_http2 h2 connection shutdown. - included in mod_http2 1.15.4 backport - CVE-2019-10082 * SECURITY UPDATE: Limited cross-site scripting in mod_proxy error page. - d/p/CVE-2019-10092-1.patch: Remove request details from built-in error documents. - d/p/CVE-2019-10092-2.patch: Add missing log numbers. - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS protection. - CVE-2019-10092-1 * SECURITY UPDATE: mod_rewrite potential open redirect. - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default. - CVE-2019-10098 * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517, CVE-2019-10081, and CVE-2019-10082 fixes: - add d/p/mod_http2-1.14.1-backport-*.patches and d/p/mod_http2-1.15.4-backport-*.patches - dropped the following patches included above: + d/p/CVE-2018-1302.patch + d/p/CVE-2018-1333.patch + d/p/CVE-2018-11763.patch + d/p/CVE-2018-17189.patch + d/p/CVE-2019-0196.patch -- Steve Beattie Mon, 26 Aug 2019 06:41:23 -0700 ** Changed in: apache2 (Ubuntu) Status: Triaged => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11763 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1302 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1333 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-17189 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-0196 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10081 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10082 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10092 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10098 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9517 ** Changed in: apache2 (Ubuntu) Status: Triaged => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10097 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840188 Title: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1840188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840188] Re: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
Testing on Bionic, some sanity checking only. Looks good so far. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840188 Title: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1840188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840188] Re: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
Any testing which you can give would be great. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840188 Title: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1840188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840188] Re: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
Alex, If I can find a suitable test case I'd be happy to test. Or are we talking just general testing? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840188 Title: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1840188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840188] Re: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
There is a package in the ubuntu-security-proposed PPA which includes this fix (and some others) for both bionic and disco, any testing which you could provide would be appreciated. https://launchpad.net/~ubuntu- security-proposed/+archive/ubuntu/ppa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840188 Title: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1840188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840188] Re: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
Hi, this is tracked in https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0197.html but the priority currently is low. There seems to be all kind of http2 effort right now. I'll ping the security team to be aware of your bug to close it once a fix is released. ** Changed in: apache2 (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840188 Title: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1840188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840188] Re: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-0197 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840188 Title: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1840188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs