"Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers."
"Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE"
"IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020."
"A specially crafted value for the 'Cache-Digest' header in a HTTP/2
request would result in a crash when the server actually tries to HTTP/2
PUSH a resource afterwards.
Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers."
This issue was resolved and addressed in
GLSA 202008-04 at https://security.gentoo.org/glsa/202008-04
by GLSA coordinator Sam James (sam_c).
Reopening for remaining arches.
all arches done
The bug has been referenced in the following commit(s):
Author: Thomas Deutschmann <firstname.lastname@example.org>
AuthorDate: 2020-08-31 23:00:21 +0000
Commit: Thomas Deutschmann <email@example.com>
CommitDate: 2020-08-31 23:00:28 +0000
www-servers/apache: security cleanup
Package-Manager: Portage-3.0.4, Repoman-3.0.1
Signed-off-by: Thomas Deutschmann <firstname.lastname@example.org>
www-servers/apache/Manifest | 1 -
www-servers/apache/apache-2.4.43.ebuild | 272 --------------------------------
2 files changed, 273 deletions(-)