Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692172 (CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098, CVE-2019-9517)

Summary: <www-servers/apache-2.4.41: Multiple vulnerabilities
Product: Gentoo Security Reporter: Matthias Vill <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: apache-bugs, hydrapolic, polynomial-c, whissi
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
app-admin/apache-tools-2.4.41 www-servers/apache-2.4.41
Runtime testing required: ---

Description Matthias Vill 2019-08-14 22:20:24 UTC
I just stumbled onto Apache 2.4.41 and the change log really sound interesting: http://www.apache.org/dist/httpd/CHANGES_2.4.41

Excerpt:
>>>
  *) SECURITY: CVE-2019-10081 (cve.mitre.org)
     mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
     could lead to an overwrite of memory in the pushing request's pool,
     leading to crashes. The memory copied is that of the configured push
     link header values, not data supplied by the client. [Stefan Eissing]

  *) SECURITY: CVE-2019-9517 (cve.mitre.org)
     mod_http2: a malicious client could perform a DoS attack by flooding
     a connection with requests and basically never reading responses
     on the TCP connection. Depending on h2 worker dimensioning, it was
     possible to block those with relatively few connections. [Stefan Eissing]

  *) SECURITY: CVE-2019-10098 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.
     [Yann Ylavic]

  *) SECURITY: CVE-2019-10092 (cve.mitre.org)
     Remove HTML-escaped URLs from canned error responses to prevent misleading
     text/links being displayed via crafted links. [Eric Covener]

  *) SECURITY: CVE-2019-10097 (cve.mitre.org)
     mod_remoteip: Fix stack buffer overflow and NULL pointer deference
     when reading the PROXY protocol header.  [Joe Orton,
     Daniel McCarney <cpu letsencrypt.org>]

  *) SECURITY: CVE-2019-10082 (cve.mitre.org)
     mod_http2: Using fuzzed network input, the http/2 session
     handling could be made to read memory after being freed,
     during connection shutdown. [Stefan Eissing]
>>>

Please bump!

Reproducible: Always
Comment 2 Tomáš Mózes 2019-08-15 19:19:38 UTC
Please call stabilization.

I've deployed on like 30 servers and seems to work fine.
Comment 3 Rolf Eike Beer 2019-08-16 17:43:50 UTC
hppa/sparc stable
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-16 20:35:47 UTC
arm64 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2019-08-16 22:39:01 UTC
x86 stable
Comment 6 Sergei Trofimovich gentoo-dev 2019-08-17 20:59:02 UTC
ia64/ppc/ppc64
Comment 7 Agostino Sarubbo gentoo-dev 2019-08-18 21:52:46 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-08-23 16:33:29 UTC
alpha stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-01 18:11:35 UTC
arm stable
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-09-02 22:37:40 UTC
@maintainer, please drop vulnerable.
Comment 11 Larry the Git Cow gentoo-dev 2019-09-03 07:56:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d769033e151e12e3ef46c1785e0437cf94803213

commit d769033e151e12e3ef46c1785e0437cf94803213
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-09-03 07:56:11 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-09-03 07:56:11 +0000

    app-admin/apache-tools: Security cleanup
    
    Bug: https://bugs.gentoo.org/692172
    Package-Manager: Portage-2.3.75, Repoman-2.3.17
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                   |   1 -
 app-admin/apache-tools/apache-tools-2.4.39.ebuild | 105 ----------------------
 2 files changed, 106 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=940c00751c3468b0805a99f3626330d89f5806a1

commit 940c00751c3468b0805a99f3626330d89f5806a1
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-09-03 07:55:17 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-09-03 07:55:17 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/692172
    Package-Manager: Portage-2.3.75, Repoman-2.3.17
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest             |   1 -
 www-servers/apache/apache-2.4.39.ebuild | 257 --------------------------------
 2 files changed, 258 deletions(-)
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2019-09-06 16:17:58 UTC
This issue was resolved and addressed in
 GLSA 201909-04 at https://security.gentoo.org/glsa/201909-04
by GLSA coordinator Thomas Deutschmann (whissi).