Univention Bugzilla – Bug 49237
apache2: Multiple issues (4.4)
Last modified: 2019-04-10 14:19:09 CEST
New Debian apache2 2.4.25-3+deb9u7A~4.4.0.201904051133 fixes: This update addresses the following issues: * mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189) * mod_session_cookie does not respect expiry time (CVE-2018-17199) * mod_http2: read-after-free on a string compare (CVE-2019-0196) * privilege escalation from modules scripts (CVE-2019-0211) * mod_auth_digest: access control bypass due to race condition (CVE-2019-0217) * URL normalization inconsistency (CVE-2019-0220)
--- mirror/ftp/4.3/unmaintained/4.3-3/source/apache2_2.4.25-3+deb9u6A~4.3.2.201811190845.dsc +++ apt/ucs_4.4-0-errata4.4-0/source/apache2_2.4.25-3+deb9u7A~4.4.0.201904051133.dsc @@ -1,9 +1,30 @@ -2.4.25-3+deb9u6A~4.3.2.201811190845 [Mon, 19 Nov 2018 09:00:01 +0100] Univention builddaemon <buildd@univention.de>: +2.4.25-3+deb9u7A~4.4.0.201904051133 [Mon, 08 Apr 2019 08:33:43 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 05-autostart-setting 10-apache2-reload 20-no-proxy + +2.4.25-3+deb9u7 [Tue, 02 Apr 2019 21:05:13 +0200] Stefan Fritsch <sf@debian.org>: + + [ Xavier Guimard ] + * CVE-2018-17199: mode_session: Fix missing check for session expiry time. + Closes: #920303 + + [ Stefan Fritsch ] + * mod_http2: Fix keepalive timeout behavior. This fixes a regression with + Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103 + * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. + Closes: #904150 + * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies. + Closes: #920302 + * CVE-2019-0196: mod_http2: Fix read after free + * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root. + * CVE-2019-0217: mod_auth_digest: Access control bypass + * CVE-2019-0220: URL normalization inconsistincy. + Consecutive slashes in URL's are now merged before use in LocationMatch + and RewriteRule. The old behavior can be restored with the new directive + "MergeSlashes off". 2.4.25-3+deb9u6 [Sat, 03 Nov 2018 19:46:19 +0100] Stefan Fritsch <sf@debian.org>: <http://10.200.17.11/4.4-0/#4465618157882679189>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-0] 82afe269fd Bug #49237: apache2 2.4.25-3+deb9u7A~4.4.0.201904051133 doc/errata/staging/apache2.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)
<http://errata.software-univention.de/ucs/4.4/42.html>