[SECURITY] [DLA 1748-1] apache2 security update

2019-04-0314:29:59

lists.debian.org

122

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

76.3%

JSON

Package : apache2
Version : 2.4.10-10+deb8u14
CVE ID : CVE-2019-0217 CVE-2019-0220

Several vulnerabilities have been found in the Apache HTTP server.

CVE-2019-0217

A race condition in mod_auth_digest when running in a threaded
server could allow a user with valid credentials to authenticate
using another username, bypassing configured access control
restrictions. The issue was discovered by Simon Kappel.

CVE-2019-0220

Bernhard Lorenz of Alpha Strike Labs GmbH reported that URL
normalizations were inconsistently handled. When the path component
of a request URL contains multiple consecutive slashes (&#x27;/&#x27;),
directives such as LocationMatch and RewriteRule must account for
duplicates in regular expressions while other aspects of the servers
processing will implicitly collapse them.

For Debian 8 "Jessie", these problems have been fixed in version
2.4.10-10+deb8u14.

We recommend that you upgrade your apache2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Jonas Meurer

OSVersionArchitecturePackageVersionFilename
Debian9arm64apache2-dev< 2.4.25-3+deb9u7apache2-dev_2.4.25-3+deb9u7_arm64.deb
Debian9arm64apache2< 2.4.25-3+deb9u7apache2_2.4.25-3+deb9u7_arm64.deb
Debian8amd64apache2-suexec-pristine< 2.4.10-10+deb8u14apache2-suexec-pristine_2.4.10-10+deb8u14_amd64.deb
Debian9ppc64elapache2-suexec-pristine< 2.4.25-3+deb9u7apache2-suexec-pristine_2.4.25-3+deb9u7_ppc64el.deb
Debian8i386apache2-suexec< 2.4.10-10+deb8u14apache2-suexec_2.4.10-10+deb8u14_i386.deb
Debian9mipselapache2-dbg< 2.4.25-3+deb9u7apache2-dbg_2.4.25-3+deb9u7_mipsel.deb
Debian9s390xapache2-ssl-dev< 2.4.25-3+deb9u7apache2-ssl-dev_2.4.25-3+deb9u7_s390x.deb
Debian8amd64apache2-dbg< 2.4.10-10+deb8u14apache2-dbg_2.4.10-10+deb8u14_amd64.deb
Debian9i386apache2-utils< 2.4.25-3+deb9u7apache2-utils_2.4.25-3+deb9u7_i386.deb
Debian8armelapache2.2-common< 2.4.10-10+deb8u14apache2.2-common_2.4.10-10+deb8u14_armel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	arm64	apache2-dev	< 2.4.25-3+deb9u7	apache2-dev_2.4.25-3+deb9u7_arm64.deb
Debian	9	arm64	apache2	< 2.4.25-3+deb9u7	apache2_2.4.25-3+deb9u7_arm64.deb
Debian	8	amd64	apache2-suexec-pristine	< 2.4.10-10+deb8u14	apache2-suexec-pristine_2.4.10-10+deb8u14_amd64.deb
Debian	9	ppc64el	apache2-suexec-pristine	< 2.4.25-3+deb9u7	apache2-suexec-pristine_2.4.25-3+deb9u7_ppc64el.deb
Debian	8	i386	apache2-suexec	< 2.4.10-10+deb8u14	apache2-suexec_2.4.10-10+deb8u14_i386.deb
Debian	9	mipsel	apache2-dbg	< 2.4.25-3+deb9u7	apache2-dbg_2.4.25-3+deb9u7_mipsel.deb
Debian	9	s390x	apache2-ssl-dev	< 2.4.25-3+deb9u7	apache2-ssl-dev_2.4.25-3+deb9u7_s390x.deb
Debian	8	amd64	apache2-dbg	< 2.4.10-10+deb8u14	apache2-dbg_2.4.10-10+deb8u14_amd64.deb
Debian	9	i386	apache2-utils	< 2.4.25-3+deb9u7	apache2-utils_2.4.25-3+deb9u7_i386.deb
Debian	8	armel	apache2.2-common	< 2.4.10-10+deb8u14	apache2.2-common_2.4.10-10+deb8u14_armel.deb