[SECURITY] [DLA 2362-1] uwsgi security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2362-1] uwsgi security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Thu, 3 Sep 2020 04:03:46 +0530
Message-id: <[🔎] 569bf46a-1bfb-7e38-b883-d2b5c8d4e3c9@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2362-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
September 03, 2020                          https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : uwsgi
Version        : 2.0.14+20161117-3+deb9u3
CVE ID         : CVE-2020-11984

Apache HTTP Server versions before 2.4.32 uses src:uwsgi where a flaw
was discovered. The uwsgi protocol does not let us serialize more
than 16K of HTTP header leading to resource exhaustion and denial of
service.

For Debian 9 stretch, this problem has been fixed in version
2.0.14+20161117-3+deb9u3.

We recommend that you upgrade your uwsgi packages.

For the detailed security status of uwsgi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/uwsgi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl9QHcUACgkQgj6WdgbD
S5Z4Tg//f8iz3kwcw22bCCZaFk/EnhS2YeM01rRTGZ+oDcfootPjyvx9cGWnopJ5
S3OW0gWLFVA39ogfqjpRzB9CrOJzQPTi5J0gCAZAWeZotF7L9cVzTjidJsobJ0uP
BBK+zlnxDSQxmO9IUjh+dgqcuj7oLeW4zDH2nVH/UQUPviHgl3XcaBAx9VNo3O5M
+WC6GGlZPu2u6gZfvzflamRYK98jTpwInUI1CYtTYg51UIt+RjhxQdp60Z8tn4fK
EFkne4iQ4/cK/U/RnjFjCT9E+4KznPWJAUKRb1qShcVv2ZDvruNl4ykQJou3Fq8N
0Dhu9ehFWANYb9urviJhwgbYnAj/JRyUluzcWHF3O8Z5mo+zON2FHohVZaKUnxgX
q5scepLZIUxST4Rj25VPeU0aZL2T2MALMfeeTP0ChX/suswdfFg4W5+GPiJRwGvA
OCPFVjqPDiRo8fYIj3byHJ5KYQWBLm/Nr/fp1zZg74FoeqBM0+QfWT6p+LOlVh9r
6s1IFCh9+rrA/JdOfk3ZYBsxOrbaEteCRZNAnQMqQJEVDUxV2tGKJ6sisgKvizFM
wS+BTaco9/tQqZ6Fv3B4kchciPYZd640xchVBJF0GWgcvv5yiNNQ81imk3F1d1uh
RwGf3+cFJv7bEN0xX6GkpCsdoyTVbRqrw+pQY9VWmt3pniqIQWE=
=jOq7
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2361-1] libx11 security update
Next by Date: [SECURITY] [DLA 2363-1] asyncpg security update
Previous by thread: [SECURITY] [DLA 2361-1] libx11 security update
Next by thread: [SECURITY] [DLA 2363-1] asyncpg security update
Index(es):
- Date
- Thread