ArchLinux: 201901-14: apache: multiple issues
Summary
- CVE-2018-17189 (denial of service)
By sending request bodies in a slow loris way to plain resources, the
h2 stream of Apache HTTP Server before 2.4.38 for that request
unnecessarily occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 connections. A possible mitigation is to not
enable the h2 protocol.
- CVE-2018-17199 (insufficient validation)
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks
the session expiry time before decoding the session. This causes
session expiry time to be ignored for mod_session_cookie sessions since
the expiry time is loaded when the session is decoded.
- CVE-2019-0190 (denial of service)
A bug exists in the way mod_ssl handled client renegotiations. A remote
attacker could send a carefully crafted request that would cause
mod_ssl to enter a loop leading to a denial of service. This bug can be
only triggered with Apache HTTP Server version 2.4.37 when using
OpenSSL version 1.1.1 or later, due to an interaction in changes to
handling of renegotiation attempts.
Resolution
Upgrade to 2.4.38-1.
# pacman -Syu "apache>=2.4.38-1"
The problems have been fixed upstream in version 2.4.38.
References
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.38 https://security.archlinux.org/CVE-2018-17189 https://security.archlinux.org/CVE-2018-17199 https://security.archlinux.org/CVE-2019-0190
Workaround
- CVE-2018-17189Disable the h2 protocol.