Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 692172 (CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098, CVE-2019-9517) - <www-servers/apache-2.4.41: Multiple vulnerabilities
Summary: <www-servers/apache-2.4.41: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098, CVE-2019-9517
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-14 22:20 UTC by Matthias Vill
Modified: 2019-09-06 16:17 UTC (History)
4 users (show)

See Also:
Package list:
app-admin/apache-tools-2.4.41 www-servers/apache-2.4.41
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Vill 2019-08-14 22:20:24 UTC
I just stumbled onto Apache 2.4.41 and the change log really sound interesting: http://www.apache.org/dist/httpd/CHANGES_2.4.41

Excerpt:
>>>
  *) SECURITY: CVE-2019-10081 (cve.mitre.org)
     mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
     could lead to an overwrite of memory in the pushing request's pool,
     leading to crashes. The memory copied is that of the configured push
     link header values, not data supplied by the client. [Stefan Eissing]

  *) SECURITY: CVE-2019-9517 (cve.mitre.org)
     mod_http2: a malicious client could perform a DoS attack by flooding
     a connection with requests and basically never reading responses
     on the TCP connection. Depending on h2 worker dimensioning, it was
     possible to block those with relatively few connections. [Stefan Eissing]

  *) SECURITY: CVE-2019-10098 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.
     [Yann Ylavic]

  *) SECURITY: CVE-2019-10092 (cve.mitre.org)
     Remove HTML-escaped URLs from canned error responses to prevent misleading
     text/links being displayed via crafted links. [Eric Covener]

  *) SECURITY: CVE-2019-10097 (cve.mitre.org)
     mod_remoteip: Fix stack buffer overflow and NULL pointer deference
     when reading the PROXY protocol header.  [Joe Orton,
     Daniel McCarney <cpu letsencrypt.org>]

  *) SECURITY: CVE-2019-10082 (cve.mitre.org)
     mod_http2: Using fuzzed network input, the http/2 session
     handling could be made to read memory after being freed,
     during connection shutdown. [Stefan Eissing]
>>>

Please bump!

Reproducible: Always
Comment 2 Tomáš Mózes 2019-08-15 19:19:38 UTC
Please call stabilization.

I've deployed on like 30 servers and seems to work fine.
Comment 3 Rolf Eike Beer 2019-08-16 17:43:50 UTC
hppa/sparc stable
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-16 20:35:47 UTC
arm64 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2019-08-16 22:39:01 UTC
x86 stable
Comment 6 Sergei Trofimovich gentoo-dev 2019-08-17 20:59:02 UTC
ia64/ppc/ppc64
Comment 7 Agostino Sarubbo gentoo-dev 2019-08-18 21:52:46 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-08-23 16:33:29 UTC
alpha stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-01 18:11:35 UTC
arm stable
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-09-02 22:37:40 UTC
@maintainer, please drop vulnerable.
Comment 11 Larry the Git Cow gentoo-dev 2019-09-03 07:56:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d769033e151e12e3ef46c1785e0437cf94803213

commit d769033e151e12e3ef46c1785e0437cf94803213
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-09-03 07:56:11 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-09-03 07:56:11 +0000

    app-admin/apache-tools: Security cleanup
    
    Bug: https://bugs.gentoo.org/692172
    Package-Manager: Portage-2.3.75, Repoman-2.3.17
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                   |   1 -
 app-admin/apache-tools/apache-tools-2.4.39.ebuild | 105 ----------------------
 2 files changed, 106 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=940c00751c3468b0805a99f3626330d89f5806a1

commit 940c00751c3468b0805a99f3626330d89f5806a1
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-09-03 07:55:17 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-09-03 07:55:17 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/692172
    Package-Manager: Portage-2.3.75, Repoman-2.3.17
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest             |   1 -
 www-servers/apache/apache-2.4.39.ebuild | 257 --------------------------------
 2 files changed, 258 deletions(-)
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2019-09-06 16:17:58 UTC
This issue was resolved and addressed in
 GLSA 201909-04 at https://security.gentoo.org/glsa/201909-04
by GLSA coordinator Thomas Deutschmann (whissi).