| Description: | Summary:
The remote host is missing an update for the Debian 'apache2' package(s) announced via the DSA-4509-3 advisory.
Vulnerability Insight:
Several vulnerabilities have been found in the Apache HTTPD server.
CVE-2019-9517
Jonathan Looney reported that a malicious client could perform a denial of service attack (exhausting h2 workers) by flooding a connection with requests and basically never reading responses on the TCP connection.
CVE-2019-10081
Craig Young reported that HTTP/2 PUSHes could lead to an overwrite of memory in the pushing request's pool, leading to crashes.
CVE-2019-10082
Craig Young reported that the HTTP/2 session handling could be made to read memory after being freed, during connection shutdown.
CVE-2019-10092
Matei Mal Badanoiu reported a limited cross-site scripting vulnerability in the mod_proxy error page.
CVE-2019-10097
Daniel McCarney reported that when mod_remoteip was configured to use a trusted intermediary proxy server using the PROXY protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients. The issue does not affect the stretch release.
CVE-2019-10098
Yukitsugu Sasaki reported a potential open redirect vulnerability in the mod_rewrite module.
For the oldstable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u8.
For the stable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u1.
We recommend that you upgrade your apache2 packages.
For the detailed security status of apache2 please refer to its security tracker page at: [link moved to references]
Affected Software/OS:
'apache2' package(s) on Debian 9, Debian 10.
Solution:
Please install the updated package(s).
CVSS Score:
7.8
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C
|
