ASA-201901-14 generated external raw

[ASA-201901-14] apache: multiple issues
Arch Linux Security Advisory ASA-201901-14 ========================================== Severity: High Date : 2019-01-24 CVE-ID : CVE-2018-17189 CVE-2018-17199 CVE-2019-0190 Package : apache Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-857 Summary ======= The package <a href="/package/apache">apache</a> before version 2.4.38-1 is vulnerable to multiple issues including denial of service and insufficient validation. Resolution ========== Upgrade to 2.4.38-1. # pacman -Syu "apache>=2.4.38-1" The problems have been fixed upstream in version 2.4.38. Workaround ========== - CVE-2018-17189 Disable the h2 protocol. Description =========== - CVE-2018-17189 (denial of service) By sending request bodies in a slow loris way to plain resources, the h2 stream of <a href="/package/apache">Apache</a> HTTP Server before 2.4.38 for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. - CVE-2018-17199 (insufficient validation) In <a href="/package/apache">Apache</a> HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. - CVE-2019-0190 (denial of service) A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with <a href="/package/apache">Apache</a> HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts. Impact ====== An attacker is able to crash the <a href="/package/apache">Apache</a> server by sending maliciously- crafted h2 requests and SSL handshakes. In addition, an attacker is able to reuse an expired session. References ========== https://httpd.apache.org/security/vulnerabilities_24.html#2.4.38 https://security.archlinux.org/CVE-2018-17189 https://security.archlinux.org/CVE-2018-17199 https://security.archlinux.org/CVE-2019-0190