Arch Linux Security Advisory ASA-201904-3
========================================
Severity: Critical
Date    : 2019-04-05
CVE-ID  : CVE-2019-0196 CVE-2019-0197 CVE-2019-0211 CVE-2019-0215
          CVE-2019-0217 CVE-2019-0220
Package : apache
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-946

Summary
======
The package apache before version 2.4.39-1 is vulnerable to multiple
issues including privilege escalation, access restriction bypass and
denial of service.

Resolution
=========
Upgrade to 2.4.39-1.

# pacman -Syu "apache>=2.4.39-1"

The problems have been fixed upstream in version 2.4.39.

Workaround
=========
None.

Description
==========
- CVE-2019-0196 (denial of service)

A use-after-free issue has been found in the http/2 request handling
code of Apache HTTPd <= 2.4.18 and <= 2.4.38. Using crafted network
input, the http/2 request handling could be made to access freed memory
in string comparison when determining the method of a request and thus
process the request incorrectly.

- CVE-2019-0197 (denial of service)

An issue has been found in Apache HTTPd >= 2.4.34 and <= 2.4.38. When
HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on
a https: host, an Upgrade request from http/1.1 to http/2 that was not
the first request on a connection could lead to a misconfiguration and
crash. A server that never enabled the h2 protocol or that only enabled
it for https: and did not configure the "H2Upgrade on" is unaffected by
this.

- CVE-2019-0211 (privilege escalation)

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event,
worker or prefork, code executing in less-privileged child processes or
threads (including scripts executed by an in-process scripting
interpreter) could execute arbitrary code with the privileges of the
parent process (usually root) by manipulating the scoreboard.

- CVE-2019-0215 (access restriction bypass)

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl
when using per-location client certificate verification with TLSv1.3
allowed a client supporting Post-Handshake Authentication to bypass
configured access control restrictions.

- CVE-2019-0217 (access restriction bypass)

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in
mod_auth_digest when running in a threaded server could allow a user
with valid credentials to authenticate using another username,
bypassing configured access control restrictions.

- CVE-2019-0220 (access restriction bypass)

A security issue has been found in Apache HTTPd 2.4.x before 2.4.39.
When the path component of a request URL contains multiple consecutive
slashes ('/'), directives such as LocationMatch and RewriteRule must
account for duplicates in regular expressions while other aspects of
the servers processing will implicitly collapse them.

Impact
=====
A remote attacker can bypass access control restrictions, or crash a
server via a crafted HTTP/2 query. A local attacker can elevate
privileges to root by manipulating the scoreboard.

References
=========
https://httpd.apache.org/security/vulnerabilities_24.html
https://security.archlinux.org/CVE-2019-0196
https://security.archlinux.org/CVE-2019-0197
https://security.archlinux.org/CVE-2019-0211
https://security.archlinux.org/CVE-2019-0215
https://security.archlinux.org/CVE-2019-0217
https://security.archlinux.org/CVE-2019-0220

ArchLinux: 201904-3: apache: multiple issues

April 11, 2019

Summary

- CVE-2019-0196 (denial of service) A use-after-free issue has been found in the http/2 request handling code of Apache HTTPd <= 2.4.18 and <= 2.4.38. Using crafted network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.
- CVE-2019-0197 (denial of service)
An issue has been found in Apache HTTPd >= 2.4.34 and <= 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for https: and did not configure the "H2Upgrade on" is unaffected by this.
- CVE-2019-0211 (privilege escalation)
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard.
- CVE-2019-0215 (access restriction bypass)
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.
- CVE-2019-0217 (access restriction bypass)
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
- CVE-2019-0220 (access restriction bypass)
A security issue has been found in Apache HTTPd 2.4.x before 2.4.39. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

Resolution

Upgrade to 2.4.39-1. # pacman -Syu "apache>=2.4.39-1"
The problems have been fixed upstream in version 2.4.39.

References

https://httpd.apache.org/security/vulnerabilities_24.html https://security.archlinux.org/CVE-2019-0196 https://security.archlinux.org/CVE-2019-0197 https://security.archlinux.org/CVE-2019-0211 https://security.archlinux.org/CVE-2019-0215 https://security.archlinux.org/CVE-2019-0217 https://security.archlinux.org/CVE-2019-0220

Severity
CVE-2019-0217 CVE-2019-0220
Package : apache
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-946

Workaround

None.

Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved