Debian: DSA-4509-1: apache2 security update
Debian: DSA-4509-1: apache2 security update
Several vulnerabilities have been found in the Apache HTTPD server. CVE-2019-9517
- ------------------------------------------------------------------------- Debian Security Advisory DSA-4509-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Salvatore Bonaccorso August 26, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : apache2 CVE ID : CVE-2019-9517 CVE-2019-10081 CVE-2019-10082 CVE-2019-10092 CVE-2019-10097 CVE-2019-10098 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2019-9517 Jonathan Looney reported that a malicious client could perform a denial of service attack (exhausting h2 workers) by flooding a connection with requests and basically never reading responses on the TCP connection. CVE-2019-10081 Craig Young reported that HTTP/2 PUSHes could lead to an overwrite of memory in the pushing request's pool, leading to crashes. CVE-2019-10082 Craig Young reported that the HTTP/2 session handling could be made to read memory after being freed, during connection shutdown. CVE-2019-10092 Matei "Mal" Badanoiu reported a limited cross-site scripting vulnerability in the mod_proxy error page. CVE-2019-10097 Daniel McCarney reported that when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients. The issue does not affect the stretch release. CVE-2019-10098 Yukitsugu Sasaki reported a potential open redirect vulnerability in the mod_rewrite module. For the oldstable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u8. For the stable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u1. We recommend that you upgrade your apache2 packages. For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.