Subject: [ASA-201904-3] apache: multiple issues Arch Linux Security Advisory ASA-201904-3 ========================================= Severity: Critical Date : 2019-04-05 CVE-ID : CVE-2019-0196 CVE-2019-0197 CVE-2019-0211 CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 Package : apache Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-946 Summary ======= The package apache before version 2.4.39-1 is vulnerable to multiple issues including privilege escalation, access restriction bypass and denial of service. Resolution ========== Upgrade to 2.4.39-1. # pacman -Syu "apache>=2.4.39-1" The problems have been fixed upstream in version 2.4.39. Workaround ========== None. Description =========== - CVE-2019-0196 (denial of service) A use-after-free issue has been found in the http/2 request handling code of Apache HTTPd <= 2.4.18 and <= 2.4.38. Using crafted network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly. - CVE-2019-0197 (denial of service) An issue has been found in Apache HTTPd >= 2.4.34 and <= 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for https: and did not configure the "H2Upgrade on" is unaffected by this. - CVE-2019-0211 (privilege escalation) In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. - CVE-2019-0215 (access restriction bypass) In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions. - CVE-2019-0217 (access restriction bypass) In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. - CVE-2019-0220 (access restriction bypass) A security issue has been found in Apache HTTPd 2.4.x before 2.4.39. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. Impact ====== A remote attacker can bypass access control restrictions, or crash a server via a crafted HTTP/2 query. A local attacker can elevate privileges to root by manipulating the scoreboard. References ========== https://httpd.apache.org/security/vulnerabilities_24.html https://security.archlinux.org/CVE-2019-0196 https://security.archlinux.org/CVE-2019-0197 https://security.archlinux.org/CVE-2019-0211 https://security.archlinux.org/CVE-2019-0215 https://security.archlinux.org/CVE-2019-0217 https://security.archlinux.org/CVE-2019-0220