enterprise-support team mailing list archive

[Launchpad Bug Tracker <1840188@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.10

---------------
apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect.
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches
    - dropped the following patches included above:
      + d/p/CVE-2018-1302.patch
      + d/p/CVE-2018-1333.patch
      + d/p/CVE-2018-11763.patch
      + d/p/CVE-2018-17189.patch
      + d/p/CVE-2019-0196.patch

 -- Steve Beattie <sbeattie@xxxxxxxxxx>  Mon, 26 Aug 2019 06:41:23 -0700

** Changed in: apache2 (Ubuntu)
       Status: Triaged => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11763

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1302

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1333

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-17189

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-0196

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10081

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10082

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10092

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10098

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9517

** Changed in: apache2 (Ubuntu)
       Status: Triaged => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10097

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1840188

Title:
  Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1840188/+subscriptions