ALAS-2019-1189


Amazon Linux AMI Security Advisory: ALAS-2019-1189
Advisory Release Date: 2019-04-05 20:05 Pacific
Advisory Updated Date: 2019-08-06 21:31 Pacific
Severity: Important

Issue Overview:

In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. (CVE-2019-0211 )

A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.(CVE-2019-0220 )

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.(CVE-2019-0215 )

A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.(CVE-2019-0196 )

A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue.(CVE-2019-0197 )

A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.(CVE-2019-0217 )


Affected Packages:

httpd24


Issue Correction:
Run yum update httpd24 to update your system.

New Packages:
i686:
    httpd24-debuginfo-2.4.39-1.87.amzn1.i686
    mod24_proxy_html-2.4.39-1.87.amzn1.i686
    httpd24-2.4.39-1.87.amzn1.i686
    httpd24-tools-2.4.39-1.87.amzn1.i686
    httpd24-devel-2.4.39-1.87.amzn1.i686
    mod24_session-2.4.39-1.87.amzn1.i686
    mod24_ldap-2.4.39-1.87.amzn1.i686
    mod24_ssl-2.4.39-1.87.amzn1.i686
    mod24_md-2.4.39-1.87.amzn1.i686

noarch:
    httpd24-manual-2.4.39-1.87.amzn1.noarch

src:
    httpd24-2.4.39-1.87.amzn1.src

x86_64:
    mod24_session-2.4.39-1.87.amzn1.x86_64
    mod24_md-2.4.39-1.87.amzn1.x86_64
    mod24_ssl-2.4.39-1.87.amzn1.x86_64
    httpd24-tools-2.4.39-1.87.amzn1.x86_64
    httpd24-devel-2.4.39-1.87.amzn1.x86_64
    httpd24-2.4.39-1.87.amzn1.x86_64
    mod24_proxy_html-2.4.39-1.87.amzn1.x86_64
    mod24_ldap-2.4.39-1.87.amzn1.x86_64
    httpd24-debuginfo-2.4.39-1.87.amzn1.x86_64