All errata/c8.1/ALT-PU-2019-1610-1
ALT-PU-2019-1610-1

Package update apache2 in branch c8.1

Version2.4.39-alt1
Task#226419
Published2019-04-09
Max severityHIGH
Severity:

Closed issues (14)

BDU:2019-01404
HIGH7.8

Уязвимость модуля MPM веб-сервера Apache HTTP, связанная с использованием памяти после её освобождения, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Published: 2019-04-17Modified: 2025-08-19
CVSS 3.xHIGH 7.8
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 7.2
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2019-02559
MEDIUM5.3

Уязвимость модуля mod_http2 веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании или получить доступ к конфиденциальной информации

Published: 2019-07-18Modified: 2025-08-19
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2019-04285
HIGH7.2

Уязвимость модуля mod_remoteip веб-сервера Apache HTTP Server, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2019-12-03Modified: 2025-08-19
CVSS 3.xHIGH 7.2
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 8.5
CVSS:2.0/AV:N/AC:M/Au:S/C:C/I:C/A:C
References
BDU:2019-04407
MEDIUM5.3

Уязвимость модуля RewriteRule веб-сервера Apache, связанная с использованием имени с неправильной ссылкой, позволяющая нарушителю получить доступ к конфиденциальным данным

Published: 2019-12-03Modified: 2025-08-19
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2019-04408
MEDIUM5.6

Уязвимость компонента mod_auth_digest веб-сервера Apache HTTP Server, позволяющая нарушителю проходить аутентификацию, используя другое имя пользователя

Published: 2019-12-03Modified: 2025-08-19
CVSS 3.xMEDIUM 5.6
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS 2.0MEDIUM 6.0
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:P
References
BDU:2019-04409
HIGH7.5

Уязвимость компонента mod_ssl веб-сервера Apache HTTP Server, позволяющая нарушителю обойти настроенные ограничения контроля доступа

Published: 2019-12-03Modified: 2025-08-19
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 8.5
CVSS:2.0/AV:N/AC:M/Au:S/C:C/I:C/A:C
References
BDU:2019-04410
MEDIUM4.2

Уязвимость реализации сетевого протокола HTTP/2 веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании или привести к неверной конфигурации сервера

Published: 2019-12-03Modified: 2025-08-19
CVSS 3.xMEDIUM 4.2
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
CVSS 2.0MEDIUM 4.9
CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:P
References
CVE-2019-0196
MEDIUM5.3

A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.

Published: 2019-06-11Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
CVE-2019-0197
MEDIUM4.2

A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue.

Published: 2019-06-11Modified: 2024-11-21
CVSS 2.0MEDIUM 4.9
CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:P
CVSS 3.xMEDIUM 4.2
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
References
CVE-2019-0211
HIGH7.8

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

Published: 2019-04-08Modified: 2025-10-27
CVSS 2.0HIGH 7.2
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2019-0215
HIGH7.5

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

Published: 2019-04-08Modified: 2024-11-21
CVSS 2.0MEDIUM 6.0
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2019-0217
HIGH7.5

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

Published: 2019-04-08Modified: 2024-11-21
CVSS 2.0MEDIUM 6.0
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2019-0220
MEDIUM5.3

A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

Published: 2019-06-11Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2019-10097
HIGH7.2

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

Published: 2019-09-26Modified: 2024-11-21
CVSS 2.0MEDIUM 6.0
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS 3.xHIGH 7.2
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References