Ubuntu 3937-1: Apache HTTP Server vulnerabilities

    Date04 Apr 2019
    CategoryUbuntu
    2640
    Posted ByLinuxSecurity Advisories
    Several security issues were fixed in the Apache HTTP Server.
    ==========================================================================
    Ubuntu Security Notice USN-3937-1
    April 04, 2019
    
    apache2 vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 18.10
    - Ubuntu 18.04 LTS
    - Ubuntu 16.04 LTS
    - Ubuntu 14.04 LTS
    
    Summary:
    
    Several security issues were fixed in the Apache HTTP Server.
    
    Software Description:
    - apache2: Apache HTTP server
    
    Details:
    
    Charles Fol discovered that the Apache HTTP Server incorrectly handled the
    scoreboard shared memory area. A remote attacker able to upload and run
    scripts could possibly use this issue to execute arbitrary code with root
    privileges. (CVE-2019-0211)
    
    It was discovered that the Apache HTTP Server HTTP/2 module incorrectly
    handled certain requests. A remote attacker could possibly use this issue
    to cause the server to consume resources, leading to a denial of service.
    This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10.
    (CVE-2018-17189)
    
    It was discovered that the Apache HTTP Server incorrectly handled session
    expiry times. When used with mod_session_cookie, this may result in the
    session expiry time to be ignored, contrary to expectations.
    (CVE-2018-17199)
    
    Craig Young discovered that the Apache HTTP Server HTTP/2 module
    incorrectly handled certain requests. A remote attacker could possibly use
    this issue to cause the server to process requests incorrectly. This issue
    only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2019-0196)
    
    Simon Kappel discovered that the Apache HTTP Server mod_auth_digest module
    incorrectly handled threads. A remote attacker with valid credentials could
    possibly use this issue to authenticate using another username, bypassing
    access control restrictions. (CVE-2019-0217)
    
    Bernhard Lorenz discovered that the Apache HTTP Server was inconsistent
    when processing requests containing multiple consecutive slashes. This
    could lead to directives such as LocationMatch and RewriteRule to perform
    contrary to expectations. (CVE-2019-0220)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 18.10:
      apache2-bin                     2.4.34-1ubuntu2.1
    
    Ubuntu 18.04 LTS:
      apache2-bin                     2.4.29-1ubuntu4.6
    
    Ubuntu 16.04 LTS:
      apache2-bin                     2.4.18-2ubuntu3.10
    
    Ubuntu 14.04 LTS:
      apache2-bin                     2.4.7-1ubuntu4.22
    
    In general, a standard system update will make all the necessary changes.
    
    References:
      https://usn.ubuntu.com/usn/usn-3937-1
      CVE-2018-17189, CVE-2018-17199, CVE-2019-0196, CVE-2019-0211,
      CVE-2019-0217, CVE-2019-0220
    
    Package Information:
      https://launchpad.net/ubuntu/+source/apache2/2.4.34-1ubuntu2.1
      https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.6
      https://launchpad.net/ubuntu/+source/apache2/2.4.18-2ubuntu3.10
      https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.22
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":53.49,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.63,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.88,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.