SUSE SLES15 Security Update : apache2 (SUSE-SU-2020:2344-1)

This update for apache2 fixes the following issues : CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request bsc1175071. CVE-2020-11984: Fixed an information disclosure bug in modproxyuwsgi bsc1175074. CVE-2020-11993: When trace/debug was...

SUSE-SU-2020:2344-1 Security update for apache2

This update for apache2 fixes the following issues: - CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request bsc1175071. - CVE-2020-11984: Fixed an information disclosure bug in modproxyuwsgi bsc1175074. - CVE-2020-11993: When trace/debu...

SUSE-SU-2020:2311-1 Security update for apache2

This update for apache2 fixes the following issues: - CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request bsc1175071. - CVE-2020-11984: Fixed an information disclosure bug in modproxyuwsgi bsc1175074. - CVE-2020-11993: When trace/debu...

Google Researcher Reported 3 Flaws in Apache Web Server Software

If your web-server runs on Apache, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it. Apache recently fixed multiple vulnerabilities in its web server software that could have potentially led to the...

Updated tomcat packages fix security vulnerability

A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive CVE-2020-11996. An h2c direct connection did not release the HTTP/1.1 processo...

MGASA-2020-0327 Updated apache packages fix security vulnerability

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability f...

Updated apache packages fix security vulnerability

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability f...

HTTP Request Smuggling

wildfly-undertow is vulnerable to HTTP request smuggling. The vulnerability exists against HTTP/1.x and HTTP/2 due to an incomplete fix for CVE-2017-2666, permitting invalid characters in an HTTP request. An attacker is able to poison a web-cache, perform an XSS attack, or obtain sensitive...

Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests

A flaw was discovered in Undertow where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from...

Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony

Summary This interim fix provides instructions on upgrading Apache Tomcat to v8.5.57 in IBM Platform Symphony 7.1 Fix Pack 1 in order to address security vulnerabilities CVE-2020-9484, CVE-2020-11996, CVE-2020-13934, and CVE-2020-13935 in Apache Tomcat. Vulnerability Details CVEID: CVE-2020-13934...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Apache HTTP Server vulnerabilities (USN-4458-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4458-1 advisory. Fabrice Perez discovered that the Apache modrewrite module incorrectly handled certain redirects. A remote attacker could possibl...

USN-4458-1: Apache HTTP Server vulnerabilities

Fabrice Perez discovered that the Apache modrewrite module incorrectly handled certain redirects. A remote attacker could possibly use this issue to perform redirects to an unexpected URL. CVE-2020-1927 Chamal De Silva discovered that the Apache modproxyftp module incorrectly handled memory when...

Apache 2.4.x < 2.4.46 Multiple Vulnerabilities

The version of Apache httpd installed on the remote host is prior to 2.4.46. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.46 advisory. - Apache HTTP server 2.4.32 to 2.4.44 modproxyuwsgi info disclosure and possible RCE CVE-2020-11984 - Apache HTTP Server versio...

Oracle Linux 8 : nodejs:10 (ELSA-2020-2848)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-2848 advisory. - Fixes CVE-2020-11080, CVE-2020-8174, CVE-2020-10531 Tenable has extracted the preceding description block directly from the Oracle Linux security...

CVE-2020-9490

A flaw was found in Apache httpd in versions prior to 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove that could lead to a crash and denial of service. The highest threat from this vulnerability is to system availability. Mitigation Configuring the HTTP/2...

Denial Of Service (DoS)

apache2 is vulnerable to denial of service DoS. The vulnerability exists when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of modhttp2 abov...

Denial Of Service (DoS)

apache is vulnerable to denial of service DoS. The vulnerability exists as a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will...

FreeBSD : trafficserver -- resource consumption (6fd773d3-bc5a-11ea-b38d-f0def1d0c3ea)

Bryan Call reports : ATS is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from the FreeBSD VuXML databa...

Apache HTTP Server 2.4.20 < 2.4.44 Multiple Vulnerabilities - Linux

Apache HTTP Server is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:httpserver"; if...

CVE-2020-9490

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability f...