데비안 보안 권고

DSA-4422-1 apache2 -- 보안 업데이트

보고일:
2019년 04월 03일
영향 받는 패키지:
apache2
위험성:
보안 데이터베이스 참조:
데비안 버그 추적 시스템: 버그 920302, 버그 920303.
Mitre의 CVE 사전: CVE-2018-17189, CVE-2018-17199, CVE-2019-0196, CVE-2019-0211, CVE-2019-0217, CVE-2019-0220.
추가 정보:

여러 취약점을 아파치 HTTP 서버에서 발견했습니다.

  • CVE-2018-17189

    Gal Goldshtein of F5 Networks discovered a denial of service vulnerability in mod_http2. By sending malformed requests, the http/2 stream for that request unnecessarily occupied a server thread cleaning up incoming data, resulting in denial of service.

  • CVE-2018-17199

    Diego Angulo from ImExHS discovered that mod_session_cookie does not respect expiry time.

  • CVE-2019-0196

    Craig Young discovered that the http/2 request handling in mod_http2 could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.

  • CVE-2019-0211

    Charles Fol discovered a privilege escalation from the less-privileged child process to the parent process running as root.

  • CVE-2019-0217

    A race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. The issue was discovered by Simon Kappel.

  • CVE-2019-0220

    Bernhard Lorenz of Alpha Strike Labs GmbH reported that URL normalizations were inconsistently handled. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

안정배포(stretch)에서 이 문제를 버전 2.4.25-3+deb9u7에서 고쳤습니다.

이 업데이트는 다음 안정 포인트 릴리스에 넣기로 계획된 버그 픽스도 포함합니다. 이것은 버전 2.4.25-3+deb9u6에서 보안 수정에 의한 회귀용 수정을 포함합니다.

apache2 패키지를 업그레이드 하는 게 좋습니다.

apache2의 자세한 보안 상태는 보안 추적 페이지 참조: https://security-tracker.debian.org/tracker/apache2