Apache HTTP Server < 2.4.39 Multiple Vulnerabilities

Versions of Apache HTTP server prior to 2.4.39 are unpatched, and therefore affected by multiple vulnerabilities :

• Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. (CVE-2019-0196)
• When HTTP/2 was enabled for a ‘http: host’ or H2Upgrade was enabled for h2 on a ‘https: host’, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for HTTPS and did not configure the “H2Upgrade on” is unaffected by this. (CVE-2019-0197)
• With MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process by manipulating the scoreboard. (CVE-2019-0211)
• A bug in ‘mod_ssl’ when using per-location client certificate verification with TLSv1.3 allows a client supporting Post-Handshake Authentication to bypass configured access control restrictions. (CVE-2019-0215)
• A race condition in ‘mod_auth_digest’ when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. (CVE-2019-0217)
• When the path component of a request URL contains multiple consecutive slashes (‘/’), directives such as ‘LocationMatch’ and ‘RewriteRule’ must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. (CVE-2019-0220)