Security Information / 2019 / Security Information -- DSA-4509-1 apache2

Debian Security Advisory

DSA-4509-1 apache2 -- security update

Date Reported:

26 Aug 2019

Affected Packages:

apache2

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2019-9517, CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098.

More information:

Several vulnerabilities have been found in the Apache HTTPD server.

• CVE-2019-9517

  Jonathan Looney reported that a malicious client could perform a denial of service attack (exhausting h2 workers) by flooding a connection with requests and basically never reading responses on the TCP connection.

• CVE-2019-10081

  Craig Young reported that HTTP/2 PUSHes could lead to an overwrite of memory in the pushing request's pool, leading to crashes.

• CVE-2019-10082

  Craig Young reported that the HTTP/2 session handling could be made to read memory after being freed, during connection shutdown.

• CVE-2019-10092

  Matei Mal Badanoiu reported a limited cross-site scripting vulnerability in the mod_proxy error page.

• CVE-2019-10097

  Daniel McCarney reported that when mod_remoteip was configured to use a trusted intermediary proxy server using the PROXY protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients. The issue does not affect the stretch release.

• CVE-2019-10098

  Yukitsugu Sasaki reported a potential open redirect vulnerability in the mod_rewrite module.

For the oldstable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u8.

For the stable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u1.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2