Debian 10 Buster DLA-3818-1 Moderate: Apache HTTP Server Issues
debian lts
May 25, 2024
Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting, denial of service, or authorization bypass
Summary
CVE-2019-17567
mod_proxy_wstunnel configured on an URL that is not
necessarily Upgraded by the origin server was tunneling
the whole connection regardless, thus allowing for subsequent requests
on the same connection to pass through with no HTTP validation,
authentication or authorization possibly configured.
CVE-2023-31122
An Out-of-bounds Read vulnerability was found in mod_macro.
CVE-2023-38709
A faulty input validation was found in the core of Apache
that allows malicious or exploitable backend/content generators
to split HTTP responses.
CVE-2023-45802
When an HTTP/2 stream was reset (RST frame) by a client, there was a
time window were the request's memory resources were not reclaimed
immediately. Instead, de-allocation was deferred to connection close.
A client could send new requests and resets, keeping the connection
busy and open and causing the memory footprint to keep on growing.
PREVIOUS
NEXT
Package: apache2
Version: 2.4.59-1~deb10u1
CVE ID: CVE-2019-17567 CVE-2023-31122 CVE-2023-38709 CVE-2023-45802
Debian Bug: 1068412
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!