ArchLinux: 201901-14: apache: multiple issues

    Date27 Jan 2019
    Posted ByAnthony Pell
    The package apache before version 2.4.38-1 is vulnerable to multiple issues including denial of service and insufficient validation.
    Arch Linux Security Advisory ASA-201901-14
    Severity: High
    Date    : 2019-01-24
    CVE-ID  : CVE-2018-17189 CVE-2018-17199 CVE-2019-0190
    Package : apache
    Type    : multiple issues
    Remote  : Yes
    Link    :
    The package apache before version 2.4.38-1 is vulnerable to multiple
    issues including denial of service and insufficient validation.
    Upgrade to 2.4.38-1.
    # pacman -Syu "apache>=2.4.38-1"
    The problems have been fixed upstream in version 2.4.38.
    - CVE-2018-17189
    Disable the h2 protocol.
    - CVE-2018-17189 (denial of service)
    By sending request bodies in a slow loris way to plain resources, the
    h2 stream of Apache HTTP Server before 2.4.38 for that request
    unnecessarily occupied a server thread cleaning up that incoming data.
    This affects only HTTP/2 connections. A possible mitigation is to not
    enable the h2 protocol.
    - CVE-2018-17199 (insufficient validation)
    In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks
    the session expiry time before decoding the session. This causes
    session expiry time to be ignored for mod_session_cookie sessions since
    the expiry time is loaded when the session is decoded.
    - CVE-2019-0190 (denial of service)
    A bug exists in the way mod_ssl handled client renegotiations. A remote
    attacker could send a carefully crafted request that would cause
    mod_ssl to enter a loop leading to a denial of service. This bug can be
    only triggered with Apache HTTP Server version 2.4.37 when using
    OpenSSL version 1.1.1 or later, due to an interaction in changes to
    handling of renegotiation attempts.
    An attacker is able to crash the Apache server by sending maliciously-
    crafted h2 requests and SSL handshakes. In addition, an attacker is
    able to reuse an expired session.
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.