Summary: | <www-servers/apache-2.4.46: Multiple vulnerabilities (CVE-2020-{9490,11993,11984,11985}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | apache-bugs, polynomial-c, whissi |
Priority: | Normal | Keywords: | CC-ARCHES, STABLEREQ |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: |
www-servers/apache-2.4.46
app-admin/apache-tools-2.4.46
|
Runtime testing required: | --- |
Description
Sam James
2020-08-07 18:33:09 UTC
* CVE-2020-9490 Description: "A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers." arm done sparc done x86 done arm64 done amd64 done This issue was resolved and addressed in GLSA 202008-04 at https://security.gentoo.org/glsa/202008-04 by GLSA coordinator Sam James (sam_c). Reopening for remaining arches. hppa stable ppc done ppc64 done all arches done The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdc63e39dd1365d45aaf16389ca3ba746a6eae09 commit fdc63e39dd1365d45aaf16389ca3ba746a6eae09 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-08-31 23:00:21 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-31 23:00:28 +0000 www-servers/apache: security cleanup Bug: https://bugs.gentoo.org/736282 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-servers/apache/Manifest | 1 - www-servers/apache/apache-2.4.43.ebuild | 272 -------------------------------- 2 files changed, 273 deletions(-) |