Important: httpd24

Issue Overview:

In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. (CVE-2019-0211)

A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes (‘/’), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.(CVE-2019-0220)

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.(CVE-2019-0215)

A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.(CVE-2019-0196)

A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set “H2Upgrade on” are unaffected by this issue.(CVE-2019-0197)

A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.(CVE-2019-0217)

Affected Packages:

httpd24

Issue Correction:
Run yum update httpd24 to update your system.

New Packages:

i686:  
    httpd24-debuginfo-2.4.39-1.87.amzn1.i686  
    mod24_proxy_html-2.4.39-1.87.amzn1.i686  
    httpd24-2.4.39-1.87.amzn1.i686  
    httpd24-tools-2.4.39-1.87.amzn1.i686  
    httpd24-devel-2.4.39-1.87.amzn1.i686  
    mod24_session-2.4.39-1.87.amzn1.i686  
    mod24_ldap-2.4.39-1.87.amzn1.i686  
    mod24_ssl-2.4.39-1.87.amzn1.i686  
    mod24_md-2.4.39-1.87.amzn1.i686  
  
noarch:  
    httpd24-manual-2.4.39-1.87.amzn1.noarch  
  
src:  
    httpd24-2.4.39-1.87.amzn1.src  
  
x86_64:  
    mod24_session-2.4.39-1.87.amzn1.x86_64  
    mod24_md-2.4.39-1.87.amzn1.x86_64  
    mod24_ssl-2.4.39-1.87.amzn1.x86_64  
    httpd24-tools-2.4.39-1.87.amzn1.x86_64  
    httpd24-devel-2.4.39-1.87.amzn1.x86_64  
    httpd24-2.4.39-1.87.amzn1.x86_64  
    mod24_proxy_html-2.4.39-1.87.amzn1.x86_64  
    mod24_ldap-2.4.39-1.87.amzn1.x86_64  
    httpd24-debuginfo-2.4.39-1.87.amzn1.x86_64  

Additional References

Red Hat: CVE-2019-0196, CVE-2019-0197, CVE-2019-0211, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220

Mitre: CVE-2019-0196, CVE-2019-0197, CVE-2019-0211, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220