Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianlists.debian.orgDEBIAN:DLA-3818-1:150EC
HistoryMay 25, 2024 - 11:06 a.m.

[SECURITY] [DLA 3818-1] apache2 security update

2024-05-2511:06:45
lists.debian.org
5
multiple vulnerabilities
apache http server
debian 10

7.9 High

AI Score

Confidence

Low

0.01 Low

EPSS

Percentile

83.8%

JSON

Debian LTS Advisory DLA-3818-1 [email protected]
https://www.debian.org/lts/security/ Bastien Roucariès
May 24, 2024 https://wiki.debian.org/LTS

Package : apache2
Version : 2.4.59-1~deb10u1
CVE ID : CVE-2019-17567 CVE-2023-31122 CVE-2023-38709 CVE-2023-45802
CVE-2024-24795 CVE-2024-27316
Debian Bug : 1068412

Multiple vulnerabilities have been discovered in the Apache HTTP server,
which may result in HTTP response splitting, denial of service, or
authorization bypass.

CVE-2019-17567

 mod_proxy_wstunnel configured on an URL that is not
 necessarily Upgraded by the origin server was tunneling
 the whole connection regardless, thus allowing for subsequent requests
 on the same connection to pass through with no HTTP validation,
 authentication or authorization possibly configured.

CVE-2023-31122

An Out-of-bounds Read vulnerability was found in mod_macro.

CVE-2023-38709

A faulty input validation was found in the core of Apache
that allows malicious or exploitable backend/content generators
to split HTTP responses.

CVE-2023-45802

When an HTTP/2 stream was reset (RST frame) by a client, there was a
time window were the request's memory resources were not reclaimed
immediately. Instead, de-allocation was deferred to connection close.
A client could send new requests and resets, keeping the connection
busy and open and causing the memory footprint to keep on growing.
On connection close, all resources were reclaimed, but the process
might run out of memory before that.

CVE-2024-24795

HTTP Response splitting in multiple modules in Apache HTTP Server
allows an attacker that can inject malicious response headers into
backend applications to cause an HTTP desynchronization attack.

CVE-2024-27316

HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP
413 response. If a client does not stop sending headers, this
leads to memory exhaustion.

For Debian 10 buster, these problems have been fixed in version
2.4.59-1~deb10u1.

Please note that the fix of CVE-2024-24795, may break unrelated
CGI-BIN scripts. As part of the security fix, the Apache webserver
mod_cgi module has stopped relaying the Content-Length field
of the HTTP reply header from the CGI programs back to the client
in cases where the connection is to be closed and the client
is able to read until end-of-file. You may restore legacy
behavior for trusted scripts by adding the following configuration
environment variable to the
Apache configuration, scoped to the <Directory> entry or
entries in which scripts are being served via CGI,
SetEnv ap_trust_cgilike_cl "yes".
The definitive fix is to read the whole input,
re-allocating the input buffer to fit as more input is received
in CGI-BIN scripts, and and to not trust that
CONTENT_LENGTH variable is always present.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Related

openvas 37
osv 16
nessus 62
debian 2
ubuntu 4
slackware 2
mageia 2
kaspersky 2
fedora 5
ibm 7
amazon 4
oraclelinux 4
redhat 5
freebsd 2
almalinux 2
rocky 2
debiancve 4
nvd 3
cve 2
photon 2
redos 1
redhatcve 4
veracode 3
prion 1
cbl_mariner 3
alpinelinux 3
ubuntucve 4
httpd 1
cvelist 3
f5 4
vulnrichment 2
githubexploit 1
openvas
openvas
Debian: Security Advisory (DLA-3818-1)
2024-05-27 00:00:00
Debian: Security Advisory (DSA-5662-1)
2024-04-17 00:00:00
SUSE: Security Advisory (SUSE-SU-2024:1627-1)
2024-05-14 00:00:00
osv
osv
apache2 - security update
2024-05-24 00:00:00
apache2 - security update
2024-04-16 00:00:00
apache2 vulnerabilities
2024-04-29 11:31:21
nessus
nessus
Debian dla-3818 : apache2 - security update
2024-05-25 00:00:00
SUSE SLES12 Security Update : apache2 (SUSE-SU-2024:1627-1)
2024-05-14 00:00:00
Slackware Linux 15.0 / current httpd Multiple Vulnerabilities (SSA:2024-095-01)
2024-04-04 00:00:00
debian
debian
[SECURITY] [DSA 5662-1] apache2 security update
2024-04-16 18:32:07
[SECURITY] [DLA 3819-1] fossil security update
2024-05-25 11:33:10
ubuntu
ubuntu
Apache HTTP Server vulnerabilities
2024-04-17 00:00:00
Apache HTTP Server vulnerabilities
2024-04-11 00:00:00
Apache HTTP Server vulnerabilities
2024-04-29 00:00:00
slackware
slackware
[slackware-security] httpd
2024-04-04 19:16:44
[slackware-security] httpd
2023-10-19 19:21:22
mageia
mageia
Updated apache packages fix security vulnerabilities
2024-04-10 07:03:52
Updated apache packages fix security vulnerabilities
2023-10-28 00:49:40
kaspersky
kaspersky
KLA65470 Multiple vulnerabilities in Apache HTTP Server
2024-04-04 00:00:00
KLA61504 Multiple vulnerabilities in Apache HTTP Server
2023-10-19 00:00:00
fedora
fedora
[SECURITY] Fedora 40 Update: httpd-2.4.59-2.fc40
2024-04-19 21:45:00
[SECURITY] Fedora 38 Update: httpd-2.4.59-2.fc38
2024-05-04 02:19:58
[SECURITY] Fedora 39 Update: httpd-2.4.59-2.fc39
2024-05-03 01:33:21
ibm
ibm
Security Bulletin: A security vulnerability has been identified in IBM HTTP Server, which is used by IBM WebSphere Application Server in IBM Rational ClearQuest (CVE-2024-24795, CVE-2023-38709)
2024-04-22 11:02:48
Security Bulletin: Multiple Vulnerabilities have been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-38709, CVE-2024-24795)
2024-04-10 18:17:52
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2024-24795, CVE-2023-38709)
2024-04-17 15:56:22
amazon
amazon
Medium: httpd
2024-04-24 22:15:00
Important: httpd24
2023-10-30 23:31:00
Important: httpd
2023-10-30 23:59:00
oraclelinux
oraclelinux
httpd:2.4 security update
2024-05-24 00:00:00
mod_http2 security update
2024-05-07 00:00:00
httpd security update
2024-05-03 00:00:00
redhat
redhat
(RHSA-2024:2891) Moderate: httpd:2.4 security update
2024-05-16 11:37:17
(RHSA-2024:3121) Moderate: httpd:2.4 security update
2024-05-22 06:35:40
(RHSA-2024:2907) Moderate: httpd:2.4 security update
2024-05-20 01:02:25
freebsd
freebsd
Apache httpd -- multiple vulnerabilities
2024-04-04 00:00:00
Apache httpd -- Multiple vulnerabilities
2023-10-19 00:00:00
almalinux
almalinux
Moderate: httpd:2.4 security update
2024-05-22 00:00:00
Moderate: mod_http2 security update
2024-04-30 00:00:00
rocky
rocky
httpd:2.4 security update
2024-06-14 13:59:30
httpd:2.4/mod_http2 security update
2024-05-06 13:04:21
debiancve
debiancve
CVE-2019-17567
2021-06-10 07:15:07
CVE-2023-38709
2024-04-04 20:15:08
CVE-2024-27316
2024-04-04 20:15:08
nvd
nvd
CVE-2019-17567
2021-06-10 07:15:07
CVE-2024-27316
2024-04-04 20:15:08
CVE-2024-24795
2024-04-04 20:15:08
cve
cve
CVE-2019-17567
2021-06-10 07:15:07
CVE-2024-24795
2024-04-04 20:15:08
photon
photon
Important Photon OS Security Update - PHSA-2023-4.0-0502
2023-11-01 00:00:00
Important Photon OS Security Update - PHSA-2023-3.0-0680
2023-11-03 00:00:00
redos
redos
ROS-20240425-01
2024-04-25 00:00:00
redhatcve
redhatcve
CVE-2019-17567
2021-06-08 03:49:47
CVE-2024-27316
2024-04-03 19:27:03
CVE-2024-24795
2024-04-04 19:32:34
veracode
veracode
Privilege Escalation
2021-07-11 18:17:25
HTTP Response Splitting
2024-04-10 21:30:32
Memory Exhaustion
2024-04-10 19:25:29
prion
prion
Authentication flaw
2021-06-10 07:15:00
cbl_mariner
cbl_mariner
CVE-2019-17567 affecting package httpd for versions less than 2.4.52-1
2022-04-09 06:51:57
CVE-2024-24795 affecting package httpd for versions less than 2.4.59-1
2024-05-06 17:48:02
CVE-2019-17567 affecting package httpd 2.4.46-6
2021-10-15 04:46:31
alpinelinux
alpinelinux
CVE-2024-27316
2024-04-04 20:15:08
CVE-2023-31122
2023-10-23 07:15:11
CVE-2024-24795
2024-04-04 20:15:08
ubuntucve
ubuntucve
CVE-2024-24795
2024-04-04 00:00:00
CVE-2023-38709
2024-04-04 00:00:00
CVE-2019-17567
2021-06-10 00:00:00
httpd
httpd
Apache Httpd < 2.4.48 : mod_proxy_wstunnel tunneling of non Upgraded connections
2019-10-05 00:00:00
cvelist
cvelist
CVE-2019-17567 mod_proxy_wstunnel tunneling of non Upgraded connections
2021-06-10 07:10:19
CVE-2023-38709 Apache HTTP Server: HTTP response splitting
2024-04-04 19:19:35
CVE-2024-24795 Apache HTTP Server: HTTP Response Splitting in multiple modules
2024-04-04 19:20:48
f5
f5
K000133522 : Apache mod_proxy_wstunnel vulnerability CVE-2019-17567
2023-04-14 00:00:00
K000139764: Apache HTTPD vulnerability CVE-2023-38709
2024-05-24 00:00:00
K000139447 : Apache httpd vulnerability CVE-2024-24795
2024-05-08 00:00:00
vulnrichment
vulnrichment
CVE-2023-38709 Apache HTTP Server: HTTP response splitting
2024-04-04 19:19:35
CVE-2024-24795 Apache HTTP Server: HTTP Response Splitting in multiple modules
2024-04-04 19:20:48
githubexploit
githubexploit
Exploit for Allocation of Resources Without Limits or Throttling in Apache Http Server
2024-04-17 20:08:05

7.9 High

AI Score

Confidence

Low

0.01 Low

EPSS

Percentile

83.8%

JSON
Related for DEBIAN:DLA-3818-1:150EC
openvas37osv16nessus62debian2ubuntu4slackware2mageia2kaspersky2fedora5ibm7amazon4oraclelinux4redhat5freebsd2almalinux2rocky2debiancve4nvd3cve2photon2redos1redhatcve4veracode3prion1cbl_mariner3alpinelinux3ubuntucve4httpd1cvelist3f54vulnrichment2githubexploit1