ALT-PU-2020-2594-1
Closed vulnerabilities
Published: 2020-08-07
BDU:2020-05176
Уязвимость модуля mod_proxy_uwsgi веб-сервера Apache HTTP Server, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации, выполнить произвольный код или вызвать отказ в обслуживании
Severity: CRITICAL (9.8)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2020-08-07
BDU:2021-00585
Уязвимость реализации механизма HTTP/2 веб-сервера Apache HTTP Server, позволяющая нарущителю вызвать отказ в обслуживании
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2020-08-07
BDU:2021-00779
Уязвимость реализации механизма HTTP/2 веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании или привести к неверной конфигурации сервера
Severity: HIGH (7.3)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2020-08-07
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-11984
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- openSUSE-SU-2020:1285
- openSUSE-SU-2020:1293
- http://packetstormsecurity.com/files/159009/Apache2-mod_proxy_uwsgi-Incorrect-Request-Handling.html
- [oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- [oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- [oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- [oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- [oss-security] 20200810 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- [oss-security] 20200817 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- https://httpd.apache.org/security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
- [httpd-cvs] 20210330 svn commit: r1888194 [13/13] - /httpd/site/trunk/content/security/json/
- [httpd-cvs] 20210330 svn commit: r1888228 - in /httpd/site/trunk/content/security/json: CVE-2020-11984.json CVE-2020-11993.json
- [httpd-cvs] 20210330 svn commit: r1888199 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml
- [httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-dev] 20200811 Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-dev] 20200811 Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210330 svn commit: r1073171 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-11984.json security/json/CVE-2020-11993.json security/vulnerabilities_24.html
- [debian-lts-announce] 20200902 [SECURITY] [DLA 2362-1] uwsgi security update
- FEDORA-2020-0d3d3f5072
- FEDORA-2020-189a1e6c3e
- GLSA-202008-04
- https://security.netapp.com/advisory/ntap-20200814-0005/
- USN-4458-1
- DSA-4757
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- openSUSE-SU-2020:1285
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- DSA-4757
- USN-4458-1
- https://security.netapp.com/advisory/ntap-20200814-0005/
- GLSA-202008-04
- FEDORA-2020-189a1e6c3e
- FEDORA-2020-0d3d3f5072
- [debian-lts-announce] 20200902 [SECURITY] [DLA 2362-1] uwsgi security update
- [httpd-cvs] 20210330 svn commit: r1073171 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-11984.json security/json/CVE-2020-11993.json security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-dev] 20200811 Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-dev] 20200811 Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-cvs] 20210330 svn commit: r1888199 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml
- [httpd-cvs] 20210330 svn commit: r1888228 - in /httpd/site/trunk/content/security/json: CVE-2020-11984.json CVE-2020-11993.json
- [httpd-cvs] 20210330 svn commit: r1888194 [13/13] - /httpd/site/trunk/content/security/json/
- [httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
- [httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- https://httpd.apache.org/security/vulnerabilities_24.html
- [oss-security] 20200817 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- [oss-security] 20200810 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- [oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- [oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- [oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- [oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow
- http://packetstormsecurity.com/files/159009/Apache2-mod_proxy_uwsgi-Incorrect-Request-Handling.html
- openSUSE-SU-2020:1293
Published: 2020-08-07
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-11993
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- openSUSE-SU-2020:1285
- openSUSE-SU-2020:1293
- openSUSE-SU-2020:1792
- http://packetstormsecurity.com/files/160393/Apache-2-HTTP2-Module-Concurrent-Pool-Usage.html
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993
- [httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
- [httpd-cvs] 20210330 svn commit: r1888194 [13/13] - /httpd/site/trunk/content/security/json/
- [httpd-cvs] 20210330 svn commit: r1888228 - in /httpd/site/trunk/content/security/json: CVE-2020-11984.json CVE-2020-11993.json
- [httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-dev] 20200811 Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-dev] 20200811 Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-dev] 20200808 Security announcements for CVE-2020-9490/CVE-2020-11993 ?
- [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1073139 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210330 svn commit: r1073171 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-11984.json security/json/CVE-2020-11993.json security/vulnerabilities_24.html
- FEDORA-2020-8122a8daa2
- FEDORA-2020-b58dc5df38
- GLSA-202008-04
- https://security.netapp.com/advisory/ntap-20200814-0005/
- USN-4458-1
- DSA-4757
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- openSUSE-SU-2020:1285
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- DSA-4757
- USN-4458-1
- https://security.netapp.com/advisory/ntap-20200814-0005/
- GLSA-202008-04
- FEDORA-2020-b58dc5df38
- FEDORA-2020-8122a8daa2
- [httpd-cvs] 20210330 svn commit: r1073171 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-11984.json security/json/CVE-2020-11993.json security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210330 svn commit: r1073139 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-dev] 20200808 Security announcements for CVE-2020-9490/CVE-2020-11993 ?
- [httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-dev] 20200811 Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-dev] 20200811 Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-cvs] 20210330 svn commit: r1888228 - in /httpd/site/trunk/content/security/json: CVE-2020-11984.json CVE-2020-11993.json
- [httpd-cvs] 20210330 svn commit: r1888194 [13/13] - /httpd/site/trunk/content/security/json/
- [httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993
- http://packetstormsecurity.com/files/160393/Apache-2-HTTP2-Module-Concurrent-Pool-Usage.html
- openSUSE-SU-2020:1792
- openSUSE-SU-2020:1293
Published: 2020-08-07
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-9490
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- openSUSE-SU-2020:1285
- openSUSE-SU-2020:1285
- openSUSE-SU-2020:1293
- openSUSE-SU-2020:1293
- openSUSE-SU-2020:1792
- openSUSE-SU-2020:1792
- http://packetstormsecurity.com/files/160392/Apache-2.4.43-mod_http2-Memory-Corruption.html
- http://packetstormsecurity.com/files/160392/Apache-2.4.43-mod_http2-Memory-Corruption.html
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490
- [httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
- [httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
- [httpd-cvs] 20210330 svn commit: r1888194 [13/13] - /httpd/site/trunk/content/security/json/
- [httpd-cvs] 20210330 svn commit: r1888194 [13/13] - /httpd/site/trunk/content/security/json/
- [httpd-cvs] 20210407 svn commit: r1888469 - /httpd/site/trunk/content/security/json/CVE-2020-9490.json
- [httpd-cvs] 20210407 svn commit: r1888469 - /httpd/site/trunk/content/security/json/CVE-2020-9490.json
- [httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-dev] 20200811 Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-dev] 20200811 Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-dev] 20200811 Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-dev] 20200811 Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
- [httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1888203 - /httpd/site/trunk/content/security/json/CVE-2020-9490.json
- [httpd-cvs] 20210330 svn commit: r1888203 - /httpd/site/trunk/content/security/json/CVE-2020-9490.json
- [httpd-cvs] 20210407 svn commit: r1073454 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-9490.json security/vulnerabilities_24.html
- [httpd-cvs] 20210407 svn commit: r1073454 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-9490.json security/vulnerabilities_24.html
- [httpd-dev] 20200808 Security announcements for CVE-2020-9490/CVE-2020-11993 ?
- [httpd-dev] 20200808 Security announcements for CVE-2020-9490/CVE-2020-11993 ?
- [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-cvs] 20210330 svn commit: r1073148 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-9490.json
- [httpd-cvs] 20210330 svn commit: r1073148 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-9490.json
- [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20210330 svn commit: r1073139 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210330 svn commit: r1073139 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
- [httpd-cvs] 20210603 svn commit: r1075355 - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- [httpd-cvs] 20210603 svn commit: r1075355 - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
- FEDORA-2020-8122a8daa2
- FEDORA-2020-8122a8daa2
- FEDORA-2020-b58dc5df38
- FEDORA-2020-b58dc5df38
- GLSA-202008-04
- GLSA-202008-04
- https://security.netapp.com/advisory/ntap-20200814-0005/
- https://security.netapp.com/advisory/ntap-20200814-0005/
- USN-4458-1
- USN-4458-1
- DSA-4757
- DSA-4757
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html