Univention Bugzilla – Bug 49236
apache2: Multiple issues (4.3)
Last modified: 2019-04-10 14:35:34 CEST
New Debian apache2 2.4.25-3+deb9u7A~4.3.3.201904051131 fixes: This update addresses the following issues: * mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189) * mod_session_cookie does not respect expiry time (CVE-2018-17199) * mod_http2: read-after-free on a string compare (CVE-2019-0196) * privilege escalation from modules scripts (CVE-2019-0211) * mod_auth_digest: access control bypass due to race condition (CVE-2019-0217) * URL normalization inconsistency (CVE-2019-0220)
--- mirror/ftp/4.3/unmaintained/4.3-3/source/apache2_2.4.25-3+deb9u6A~4.3.2.201811190845.dsc +++ apt/ucs_4.3-0-errata4.3-3/source/apache2_2.4.25-3+deb9u7A~4.3.3.201904051131.dsc @@ -1,9 +1,30 @@ -2.4.25-3+deb9u6A~4.3.2.201811190845 [Mon, 19 Nov 2018 09:00:01 +0100] Univention builddaemon <buildd@univention.de>: +2.4.25-3+deb9u7A~4.3.3.201904051131 [Fri, 05 Apr 2019 11:31:48 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 05-autostart-setting 10-apache2-reload 20-no-proxy + +2.4.25-3+deb9u7 [Tue, 02 Apr 2019 21:05:13 +0200] Stefan Fritsch <sf@debian.org>: + + [ Xavier Guimard ] + * CVE-2018-17199: mode_session: Fix missing check for session expiry time. + Closes: #920303 + + [ Stefan Fritsch ] + * mod_http2: Fix keepalive timeout behavior. This fixes a regression with + Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103 + * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. + Closes: #904150 + * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies. + Closes: #920302 + * CVE-2019-0196: mod_http2: Fix read after free + * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root. + * CVE-2019-0217: mod_auth_digest: Access control bypass + * CVE-2019-0220: URL normalization inconsistincy. + Consecutive slashes in URL's are now merged before use in LocationMatch + and RewriteRule. The old behavior can be restored with the new directive + "MergeSlashes off". 2.4.25-3+deb9u6 [Sat, 03 Nov 2018 19:46:19 +0100] Stefan Fritsch <sf@debian.org>: <http://10.200.17.11/4.3-3/#8523892427045836363>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-3] dc3dc2e5dd Bug #49236: apache2 2.4.25-3+deb9u7A~4.3.3.201904051131 doc/errata/staging/apache2.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.3-3] 0bf5011c81 Bug #49236: apache2 2.4.25-3+deb9u7A~4.3.3.201904051131 doc/errata/staging/apache2.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)
<http://errata.software-univention.de/ucs/4.3/472.html>