Mageia 2019-0109: apache security update

    Date 14 Mar 2019
    1433
    Posted By LinuxSecurity Advisories
    By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections in Apache HTTP Server versions 2.4.37 and prior (CVE-2018-17189).
    MGASA-2019-0109 - Updated apache packages fix security vulnerability
    
    Publication date: 14 Mar 2019
    URL: https://advisories.mageia.org/MGASA-2019-0109.html
    Type: security
    Affected Mageia releases: 6
    CVE: CVE-2018-17189,
         CVE-2018-17199
    
    By sending request bodies in a slow loris way to plain resources, the h2
    stream for that request unnecessarily occupied a server thread cleaning up
    that incoming data. This affects only HTTP/2 (mod_http2) connections in
    Apache HTTP Server versions 2.4.37 and prior (CVE-2018-17189).
    
    In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the
    session expiry time before decoding the session. This causes session
    expiry time to be ignored for mod_session_cookie sessions since the expiry
    time is loaded when the session is decoded (CVE-2018-17199).
    
    The apache package has been updated to version 2.4.38, fixing these issues
    and several other bugs.  See the upstream CHANGES files for details.
    
    References:
    - https://bugs.mageia.org/show_bug.cgi?id=24226
    - https://www.apache.org/dist/httpd/CHANGES_2.4.38
    - https://httpd.apache.org/security/vulnerabilities_24.html
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199
    
    SRPMS:
    - 6/core/apache-2.4.38-1.mga6
    

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/32-how-do-you-feel-about-the-elimination-of-the-terms-blacklist-and-slave-from-the-linux-kernel?task=poll.vote&format=json
    32
    radio
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"3","type":"x","order":"1","pct":42.86,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"2","type":"x","order":"2","pct":28.57,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"2","type":"x","order":"3","pct":28.57,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.