Security update for apache2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1258-1 Final 1 1 2019-04-23T14:09:24Z current 2019-04-23T14:09:24Z 2019-04-23T14:09:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: * CVE-2019-0220: The Apache HTTP server did not use a consistent strategy for URL normalization throughout all of its components. In particular, consecutive slashes were not always collapsed. Attackers could potentially abuse these inconsistencies to by-pass access control mechanisms and thus gain unauthorized access to protected parts of the service. [bsc#1131241] * CVE-2019-0217: A race condition in Apache's 'mod_auth_digest' when running in a threaded server could have allowed users with valid credentials to authenticate using another username, bypassing configured access control restrictions. [bsc#1131239] * CVE-2019-0211: A flaw in the Apache HTTP Server allowed less-privileged child processes or threads to execute arbitrary code with the privileges of the parent process. Attackers with control over CGI scripts or extension modules run by the server could have abused this issue to potentially gain super user privileges. [bsc#1131233] * CVE-2019-0197: When HTTP/2 support was enabled in the Apache server for a 'http' host or H2Upgrade was enabled for h2 on a 'https' host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. This issue could have been abused to mount a denial-of-service attack. Servers that never enabled the h2 protocol or that only enabled it for https: and did not configure the 'H2Upgrade on' are unaffected. [bsc#1131245] * CVE-2019-0196: Through specially crafted network input the Apache's http/2 request handler could be lead to access previously freed memory while determining the method of a request. This resulted in the request being misclassified and thus being processed incorrectly. [bsc#1131237] This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html E-Mail link for openSUSE-SU-2019:1258-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 apache2-2.4.23-49.1 apache2-devel-2.4.23-49.1 apache2-doc-2.4.23-49.1 apache2-event-2.4.23-49.1 apache2-example-pages-2.4.23-49.1 apache2-prefork-2.4.23-49.1 apache2-utils-2.4.23-49.1 apache2-worker-2.4.23-49.1 apache2-2.4.23-49.1 as a component of openSUSE Leap 42.3 apache2-devel-2.4.23-49.1 as a component of openSUSE Leap 42.3 apache2-doc-2.4.23-49.1 as a component of openSUSE Leap 42.3 apache2-event-2.4.23-49.1 as a component of openSUSE Leap 42.3 apache2-example-pages-2.4.23-49.1 as a component of openSUSE Leap 42.3 apache2-prefork-2.4.23-49.1 as a component of openSUSE Leap 42.3 apache2-utils-2.4.23-49.1 as a component of openSUSE Leap 42.3 apache2-worker-2.4.23-49.1 as a component of openSUSE Leap 42.3 A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly. CVE-2019-0196 openSUSE Leap 42.3:apache2-2.4.23-49.1 openSUSE Leap 42.3:apache2-devel-2.4.23-49.1 openSUSE Leap 42.3:apache2-doc-2.4.23-49.1 openSUSE Leap 42.3:apache2-event-2.4.23-49.1 openSUSE Leap 42.3:apache2-example-pages-2.4.23-49.1 openSUSE Leap 42.3:apache2-prefork-2.4.23-49.1 openSUSE Leap 42.3:apache2-utils-2.4.23-49.1 openSUSE Leap 42.3:apache2-worker-2.4.23-49.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html https://www.suse.com/security/cve/CVE-2019-0196.html CVE-2019-0196 https://bugzilla.suse.com/1131237 SUSE Bug 1131237 A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue. CVE-2019-0197 openSUSE Leap 42.3:apache2-2.4.23-49.1 openSUSE Leap 42.3:apache2-devel-2.4.23-49.1 openSUSE Leap 42.3:apache2-doc-2.4.23-49.1 openSUSE Leap 42.3:apache2-event-2.4.23-49.1 openSUSE Leap 42.3:apache2-example-pages-2.4.23-49.1 openSUSE Leap 42.3:apache2-prefork-2.4.23-49.1 openSUSE Leap 42.3:apache2-utils-2.4.23-49.1 openSUSE Leap 42.3:apache2-worker-2.4.23-49.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html https://www.suse.com/security/cve/CVE-2019-0197.html CVE-2019-0197 https://bugzilla.suse.com/1131245 SUSE Bug 1131245 In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. CVE-2019-0211 openSUSE Leap 42.3:apache2-2.4.23-49.1 openSUSE Leap 42.3:apache2-devel-2.4.23-49.1 openSUSE Leap 42.3:apache2-doc-2.4.23-49.1 openSUSE Leap 42.3:apache2-event-2.4.23-49.1 openSUSE Leap 42.3:apache2-example-pages-2.4.23-49.1 openSUSE Leap 42.3:apache2-prefork-2.4.23-49.1 openSUSE Leap 42.3:apache2-utils-2.4.23-49.1 openSUSE Leap 42.3:apache2-worker-2.4.23-49.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html https://www.suse.com/security/cve/CVE-2019-0211.html CVE-2019-0211 https://bugzilla.suse.com/1131233 SUSE Bug 1131233 In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. CVE-2019-0217 openSUSE Leap 42.3:apache2-2.4.23-49.1 openSUSE Leap 42.3:apache2-devel-2.4.23-49.1 openSUSE Leap 42.3:apache2-doc-2.4.23-49.1 openSUSE Leap 42.3:apache2-event-2.4.23-49.1 openSUSE Leap 42.3:apache2-example-pages-2.4.23-49.1 openSUSE Leap 42.3:apache2-prefork-2.4.23-49.1 openSUSE Leap 42.3:apache2-utils-2.4.23-49.1 openSUSE Leap 42.3:apache2-worker-2.4.23-49.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html https://www.suse.com/security/cve/CVE-2019-0217.html CVE-2019-0217 https://bugzilla.suse.com/1131239 SUSE Bug 1131239 A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. CVE-2019-0220 openSUSE Leap 42.3:apache2-2.4.23-49.1 openSUSE Leap 42.3:apache2-devel-2.4.23-49.1 openSUSE Leap 42.3:apache2-doc-2.4.23-49.1 openSUSE Leap 42.3:apache2-event-2.4.23-49.1 openSUSE Leap 42.3:apache2-example-pages-2.4.23-49.1 openSUSE Leap 42.3:apache2-prefork-2.4.23-49.1 openSUSE Leap 42.3:apache2-utils-2.4.23-49.1 openSUSE Leap 42.3:apache2-worker-2.4.23-49.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html https://www.suse.com/security/cve/CVE-2019-0220.html CVE-2019-0220 https://bugzilla.suse.com/1131241 SUSE Bug 1131241