Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco

Bug #1840188 reported by Jose Delarosa on 2019-08-14
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

According to https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0197.html as of Aug 14, 2019, a fix is needed for CVE-2019-0197 in apache2 in Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 19.04 (Disco Dingo). Priority should be 18.04 LTS of course.

Hi,
this is tracked in https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0197.html
but the priority currently is low.

There seems to be all kind of http2 effort right now.
I'll ping the security team to be aware of your bug to close it once a fix is released.

Changed in apache2 (Ubuntu):
status: New → Triaged
Alex Murray (alexmurray) wrote :

There is a package in the ubuntu-security-proposed PPA which includes this fix (and some others) for both bionic and disco, any testing which you could provide would be appreciated. https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa

Jose Delarosa (jdelaros1) wrote :

Alex,

If I can find a suitable test case I'd be happy to test. Or are we talking just general testing?

Alex Murray (alexmurray) wrote :

Any testing which you can give would be great.

Jose Delarosa (jdelaros1) wrote :

Testing on Bionic, some sanity checking only. Looks good so far.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.10

---------------
apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect.
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches
    - dropped the following patches included above:
      + d/p/CVE-2018-1302.patch
      + d/p/CVE-2018-1333.patch
      + d/p/CVE-2018-11763.patch
      + d/p/CVE-2018-17189.patch
      + d/p/CVE-2019-0196.patch

 -- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:41:23 -0700

Changed in apache2 (Ubuntu):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.38-2ubuntu2.2

---------------
apache2 (2.4.38-2ubuntu2.2) disco-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 internal data buffering denial of service.
    - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve
      http/2 module keepalive throttling.
    - CVE-2019-9517
  * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
    denial of service (LP: #1840188)
    - d/p/mod_http2-1.14.1-backport-0001-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch:
      re-use slave connections and fix slave connection keepalives
      counter.
    - CVE-2019-0197
  * SECURITY UPDATE: mod_http2 memory corruption on early pushes
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10081
  * SECURITY UPDATE: read-after-free in mod_http2 h2 connection
    shutdown.
    - included in mod_http2 1.15.4 backport
    - CVE-2019-10082
  * SECURITY UPDATE: mod_remoteip: Stack buffer overflow and NULL
    pointer dereference.
    - d/p/CVE-2019-10097.patch: add better sanity checks.
    - CVE-2019-10097
  * SECURITY UPDATE: Limited cross-site scripting in mod_proxy
    error page.
    - d/p/CVE-2019-10092-1.patch: Remove request details from built-in
      error documents.
    - d/p/CVE-2019-10092-2.patch: Add missing log numbers.
    - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS
      protection.
    - CVE-2019-10092-1
  * SECURITY UPDATE: mod_rewrite potential open redirect
    - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default.
    - CVE-2019-10098
  * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
    CVE-2019-10081, and CVE-2019-10082 fixes:
    - add d/p/mod_http2-1.14.1-backport-*.patches and
      d/p/mod_http2-1.15.4-backport-*.patches

 -- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:31:40 -0700

Changed in apache2 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers