apache

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A high performance Unix-based HTTP server
Version 2.4.38-1 [extra]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-857 2.4.37-1 2.4.38-1 High Fixed
AVG-736 2.4.33-3 2.4.34-1 Medium Fixed
AVG-664 2.4.29-1 2.4.33-1 Medium Fixed
AVG-404 2.4.27-1 2.4.27-2 High Fixed
AVG-350 2.4.26-3 2.4.27-1 Critical Fixed
AVG-316 2.4.25-3 2.4.26-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2019-0190 AVG-857 High Yes Denial of service
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a...
CVE-2018-8011 AVG-736 Medium Yes Denial of service
By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be...
CVE-2018-17199 AVG-857 Medium Yes Insufficient validation
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time...
CVE-2018-17189 AVG-857 High Yes Denial of service
By sending request bodies in a slow loris way to plain resources, the h2 stream of Apache HTTP Server before 2.4.38 for that request unnecessarily occupied...
CVE-2018-1333 AVG-736 Low Yes Denial of service
By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service.
CVE-2018-1312 AVG-664 Low Yes Content spoofing
In Apache httpd 2.2.0 before 2.4.30, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly...
CVE-2018-1303 AVG-664 Low Yes Denial of service
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data...
CVE-2018-1302 AVG-664 Low Yes Denial of service
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an...
CVE-2018-1301 AVG-664 Low Yes Denial of service
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached...
CVE-2018-1283 AVG-664 Medium Yes Session hijacking
In Apache httpd 2.2.0 before 2.4.30, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a...
CVE-2017-9798 AVG-404 High Yes Information disclosure
An use after free vulnerability has been discovered in Apache HTTP 2.4.27 that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS...
CVE-2017-9789 AVG-350 Critical Yes Arbitrary code execution
A security issue has been found in apache's mod_http2 <= 2.4.26. When under stress, closing many connections, the HTTP/2 handling code would sometimes...
CVE-2017-9788 AVG-350 High Yes Information disclosure
A security issue has been found in apache's mod_auth_digest <= 2.4.26, leading to information disclosure or denial of service. The value placeholder in...
CVE-2017-7679 AVG-316 Medium Yes Denial of service
An out-of-bounds read has been found in Apache httpd < 2.4.26, where mod_mime can read one byte past the end of a buffer when a malicious Content-Type...
CVE-2017-7668 AVG-316 High Yes Information disclosure
An out-of-bounds read has been found in Apache httpd < 2.4.26. The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list...
CVE-2017-7659 AVG-316 High Yes Denial of service
A NULL-pointer dereference leading to denial of service has been found in the mod_http2 component of Apache httpd < 2.4.26. A maliciously constructed HTTP/2...
CVE-2017-3169 AVG-316 Medium Yes Denial of service
A NULL-pointer dereference leading to denial of service has been found in the mod_ssl component of Apache httpd < 2.4.26. mod_ssl may dereference a NULL...
CVE-2017-3167 AVG-316 Medium Yes Authentication bypass
An authentication bypass flaw has been found in Apache httpd < 2.4.26, where the use of the ap_get_basic_auth_pw() function by third-party modules outside...
CVE-2017-15715 AVG-664 Low Yes Access restriction bypass
In Apache httpd 2.4.0 before 2.4.30, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than...
CVE-2017-15710 AVG-664 Low Yes Denial of service
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language...

Advisories

Date Advisory Group Severity Description
24 Jan 2019 ASA-201901-14 AVG-857 High multiple issues
20 Jul 2018 ASA-201807-12 AVG-736 Medium denial of service
04 Apr 2018 ASA-201804-4 AVG-664 Medium multiple issues
18 Sep 2017 ASA-201709-15 AVG-404 High information disclosure
14 Jul 2017 ASA-201707-15 AVG-350 Critical multiple issues
28 Jun 2017 ASA-201706-34 AVG-316 High multiple issues