-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3133
                    Apache HTTP Server 2.4.41 released
                              16 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           httpd
Publisher:         Apache
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service              -- Remote/Unauthenticated      
                   Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
                   Reduced Security               -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10098 CVE-2019-10097 CVE-2019-10092
                   CVE-2019-10082 CVE-2019-10081 CVE-2019-9517

Original Bulletin: 
   https://lists.apache.org/thread.html/be1e153d17bb9e32d43a38f176d93bf8a9f7568f5c8f3f5e5ebf76cd@%3Cannounce.httpd.apache.org%3E
   https://httpd.apache.org/security/vulnerabilities_24.html

- --------------------------BEGIN INCLUDED TEXT--------------------

                Apache HTTP Server 2.4.41 Released

   August 14, 2019

   The Apache Software Foundation and the Apache HTTP Server Project
   are pleased to announce the release of version 2.4.41 of the Apache
   HTTP Server ("Apache").  This version of Apache is our latest GA
   release of the new generation 2.4.x branch of Apache HTTPD and
   represents fifteen years of innovation by the project, and is
   recommended over all previous releases. This release of Apache is
   a security and bug fix release.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.4.41 is available for download from:

     https://httpd.apache.org/download.cgi

   Apache 2.4 offers numerous enhancements, improvements, and performance
   boosts over the 2.2 codebase.  For an overview of new features
   introduced since 2.4 please see:

     https://httpd.apache.org/docs/trunk/new_features_2_4.html

   Please see the CHANGES_2.4 file, linked from the download page, for a
   full list of changes. A condensed list, CHANGES_2.4.41 includes only
   those changes introduced since the prior 2.4 release.  A summary of all 
   of the security vulnerabilities addressed in this and earlier releases 
   is available:

     https://httpd.apache.org/security/vulnerabilities_24.html

   This release requires the Apache Portable Runtime (APR), minimum
   version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
   require the 1.6.x version of both APR and APR-Util. The APR libraries
   must be upgraded for all features of httpd to operate correctly.

   This release builds on and extends the Apache 2.2 API.  Modules written
   for Apache 2.2 will need to be recompiled in order to run with Apache
   2.4, and require minimal or no source code changes.

     https://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.

   Please note the 2.2.x branch has now passed the end of life at the Apache
   HTTP Server project and no further activity will occur including security
   patches.  Users must promptly complete their transitions to this 2.4.x
   release of httpd to benefit from further bug fixes or new features.

- --------------------------------------------------------------------------------

Fixed in Apache httpd 2.4.41

low: Limited cross-site scripting in mod_proxy error page (CVE-2019-10092)

    A limited cross-site scripting issue was reported affecting the mod_proxy
    error page. An attacker could cause the link on the error page to be
    malfomed and instead point to a page of their choice. This would only be
    exploitable where a server was set up with proxying enabled but was
    misconfigured in such a way that the Proxy Error page was displayed.

    We have taken this opportunity to also remove request data from many other
    in-built error messages. Note however this issue did not affect them
    directly and their output was already escaped to prevent cross-site
    scripting attacks.

    Acknowledgements: This issue was reported by Matei "Mal" Badanoiu

    Reported
    to         9th July 2019
    security
    team
    Issue      14th August 2019
    public
    Update     14th August 2019
    Released
               2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29,
    Affects    2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17,
               2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3,
               2.4.2, 2.4.1, 2.4.0

low: mod_rewrite potential open redirect (CVE-2019-10098)

    Redirects configured with mod_rewrite that were intended to be
    self-referential might be fooled by encoded newlines and redirect instead
    to an an unexpected URL within the request URL.

    Acknowledgements: The issue was discovered by Yukitsugu Sasaki

    Reported
    to         26th March 2019
    security
    team
    Issue      14th August 2019
    public
    Update     14th August 2019
    Released
               2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29,
    Affects    2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17,
               2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3,
               2.4.2, 2.4.1, 2.4.0

moderate: mod_http2, read-after-free in h2 connection shutdown (CVE-2019-10082)

    Using fuzzed network input, the http/2 session handling could be made to
    read memory after being freed, during connection shutdown.

    Acknowledgements: The issue was discovered by Craig Young of Tripwire VERT,
    <vuln-report@secur3.us>.

    Reported to    12th April 2019
    security team
    Issue public   14th August 2019
    Update         14th August 2019
    Released
                   2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.32,
    Affects        2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20,
                   2.4.18

moderate: mod_http2, memory corruption on early pushes (CVE-2019-10081)

    HTTP/2 very early pushes, for example configured with "H2PushResource",
    could lead to an overwrite of memory in the pushing request's pool, leading
    to crashes. The memory copied is that of the configured push link header
    values, not data supplied by the client.

    Acknowledgements: The issue was discovered by Craig Young of Tripwire VERT,
    <vuln-report@secur3.us>.

    Reported to    10th April 2019
    security team
    Issue public   14th August 2019
    Update         14th August 2019
    Released
    Affects        2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.32,
                   2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20

moderate: mod_http2, DoS attack by exhausting h2 workers. (CVE-2019-9517)

    A malicious client could perform a DoS attack by flooding a connection with
    requests and basically never reading responses on the TCP connection.
    Depending on h2 worker dimensioning, it was possible to block those with
    relatively few connections.

    Acknowledgements: The issue was discovered by Jonathan Looney of Netflix.

    Reported to    10th April 2019
    security team
    Issue public   14th August 2019
    Update         14th August 2019
    Released
    Affects        2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.32,
                   2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20

moderate: CVE-2019-10097 mod_remoteip: Stack buffer overflow and NULL pointer
    dereference (CVE-2019-10097)

    When mod_remoteip was configured to use a trusted intermediary proxy server
    using the "PROXY" protocol, a specially crafted PROXY header could trigger
    a stack buffer overflow or NULL pointer deference. This vulnerability could
    only be triggered by a trusted proxy and not by untrusted HTTP clients.

    Acknowledgements: The issue was discovered by Daniel McCarney
    <cpu@letsencrypt.org> Let's Encrypt / Internet Security Research Group
    (ISRG)

    Reported to security team 23rd July 2019
    Issue public              14th August 2019
    Update Released           14th August 2019
    Affects                   2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXVX5YGaOgq3Tt24GAQievRAAnE6RC3RGXceSqPygJYg76UZsjytp/sqP
RkAimUHjyk+6fbiAxXpMCVnq1URJfskqEKXDosxep8ZPt+BxU5z02GZZTMGlnwXy
9Tir5ucvtvv2+e3+614vfojuGFiVQPxiN5iDJ6zTXI+I5526G+u0T0xgM6JKzTD7
M892H+gBT8mophG/+ybHDQHjjOCX8f3w8G0hpCj6sxZZgRUxzvyNAXDRVPF5Kj0t
zhzV+hPtTBVX0LHSZw/GElXgnxX1a7U/xUEIf0/CqMGdle5eX+bfHNWUAHrg6F2B
wyVaOP3oGZKa/2bFosaoLrPx+Bu5EOu4/0N89MlQ3zfao6+tbx0c4oC/cAU/u4vh
WxsLMH8wDDNvTFQQ1PGXOna7xxgrFiwgcdh9RPu7GKj9vpuduDUU9gTiot95bKGX
FXtDWzLihBEme+l9U32DaDKsYxPw43nXXoWRhZ4tFxAseuxzHRuppZ6CeAXvwIF8
8jUeZyGjF6Z/c5i8+X8hM6vGyZHejEAZZu+dVT5/auDkpzfFrO4cMYprDxOOU83u
82eZLGg2nPUhf6dwKw5MB7F/WyXJgNiIozsjU+rDI2pfybc0qmzBh6T9KDHfPjfL
IwkbR7CHgP5J1JqFUwmZPfw8SGfpnycqJUM1OFe1it1aPRNdSy74G+JXjdGqCbsi
K4/LN4aa2d4=
=lRBw
-----END PGP SIGNATURE-----