주의: 이 번역은 원문보다 오래되었습니다.

데비안 보안 권고

DSA-4509-1 apache2 -- 보안 업데이트

보고일:
2019년 08월 26일
영향 받는 패키지:
apache2
위험성:
보안 데이터베이스 참조:
Mitre의 CVE 사전: CVE-2019-9517, CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098.
추가 정보:

Apache HTTPD 서버에서 여러 취약점을 발견했습니다.

  • CVE-2019-9517

    Jonathan Looney reported that a malicious client could perform a denial of service attack (exhausting h2 workers) by flooding a connection with requests and basically never reading responses on the TCP connection.

  • CVE-2019-10081

    Craig Young reported that HTTP/2 PUSHes could lead to an overwrite of memory in the pushing request's pool, leading to crashes.

  • CVE-2019-10082

    Craig Young reported that the HTTP/2 session handling could be made to read memory after being freed, during connection shutdown.

  • CVE-2019-10092

    Matei Mal Badanoiu reported a limited cross-site scripting vulnerability in the mod_proxy error page.

  • CVE-2019-10097

    Daniel McCarney reported that when mod_remoteip was configured to use a trusted intermediary proxy server using the PROXY protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients. The issue does not affect the stretch release.

  • CVE-2019-10098

    Yukitsugu Sasaki reported a potential open redirect vulnerability in the mod_rewrite module.

옛안정 배포(stretch)에서, 이 문제를 버전 2.4.25-3+deb9u8에서 고쳤습니다.

안정 배포(buster)에서, 이 문제를 버전 2.4.38-3+deb10u1에서 고쳤습니다.

apache2 패키지를 업그레이드 하는 게 좋습니다.

apache2의 자세한 보안 상태는 보안 추적 페이지를 참조하십시오: https://security-tracker.debian.org/tracker/apache2