Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| apache2 (Ubuntu) |
Undecided
|
Unassigned |
Bug Description
According to https:/
Alex Murray (alexmurray) wrote : | #2 |
There is a package in the ubuntu-
Jose Delarosa (jdelaros1) wrote : | #3 |
Alex,
If I can find a suitable test case I'd be happy to test. Or are we talking just general testing?
Alex Murray (alexmurray) wrote : | #4 |
Any testing which you can give would be great.
Jose Delarosa (jdelaros1) wrote : | #5 |
Testing on Bionic, some sanity checking only. Looks good so far.
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.10
---------------
apache2 (2.4.29-
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
- d/p/mod_
http/2 module keepalive throttling.
- CVE-2019-9517
* SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
denial of service (LP: #1840188)
- d/p/mod_
re-use slave connections and fix slave connection keepalives
counter.
- CVE-2019-0197
* SECURITY UPDATE: mod_http2 memory corruption on early pushes
- included in mod_http2 1.15.4 backport
- CVE-2019-10081
* SECURITY UPDATE: read-after-free in mod_http2 h2 connection
shutdown.
- included in mod_http2 1.15.4 backport
- CVE-2019-10082
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-
error documents.
- d/p/CVE-
- d/p/CVE-
protection.
- CVE-2019-10092-1
* SECURITY UPDATE: mod_rewrite potential open redirect.
- d/p/CVE-
- CVE-2019-10098
* Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
CVE-2019-10081, and CVE-2019-10082 fixes:
- add d/p/mod_
d/
- dropped the following patches included above:
+ d/p/CVE-
+ d/p/CVE-
+ d/p/CVE-
+ d/p/CVE-
+ d/p/CVE-
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:41:23 -0700
Changed in apache2 (Ubuntu): | |
status: | Triaged → Fix Released |
Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package apache2 - 2.4.38-2ubuntu2.2
---------------
apache2 (2.4.38-2ubuntu2.2) disco-security; urgency=medium
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
- d/p/mod_
http/2 module keepalive throttling.
- CVE-2019-9517
* SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
denial of service (LP: #1840188)
- d/p/mod_
re-use slave connections and fix slave connection keepalives
counter.
- CVE-2019-0197
* SECURITY UPDATE: mod_http2 memory corruption on early pushes
- included in mod_http2 1.15.4 backport
- CVE-2019-10081
* SECURITY UPDATE: read-after-free in mod_http2 h2 connection
shutdown.
- included in mod_http2 1.15.4 backport
- CVE-2019-10082
* SECURITY UPDATE: mod_remoteip: Stack buffer overflow and NULL
pointer dereference.
- d/p/CVE-
- CVE-2019-10097
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-
error documents.
- d/p/CVE-
- d/p/CVE-
protection.
- CVE-2019-10092-1
* SECURITY UPDATE: mod_rewrite potential open redirect
- d/p/CVE-
- CVE-2019-10098
* Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
CVE-2019-10081, and CVE-2019-10082 fixes:
- add d/p/mod_
d/
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:31:40 -0700
Changed in apache2 (Ubuntu): | |
status: | Triaged → Fix Released |
Hi, /people. canonical. com/~ubuntu- security/ cve/2019/ CVE-2019- 0197.html
this is tracked in https:/
but the priority currently is low.
There seems to be all kind of http2 effort right now.
I'll ping the security team to be aware of your bug to close it once a fix is released.