-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2988
                          apache2 security update
                             1 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           apache2
Publisher:         Debian
Operating System:  Debian GNU/Linux 10
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11993 CVE-2020-11984 CVE-2020-9490
                   CVE-2020-1934 CVE-2020-1927 

Reference:         ESB-2020.2961
                   ESB-2020.2903
                   ESB-2020.2806
                   ESB-2020.2735

Original Bulletin: 
   http://www.debian.org/security/2020/dsa-4757

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4757-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 31, 2020                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2020-1927 CVE-2020-1934 CVE-2020-9490 CVE-2020-11984
                 CVE-2020-11993

Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2020-1927

    Fabrice Perez reported that certain mod_rewrite configurations are
    prone to an open redirect.

CVE-2020-1934

    Chamal De Silva discovered that the mod_proxy_ftp module uses
    uninitialized memory when proxying to a malicious FTP backend.

CVE-2020-9490

    Felix Wilhelm discovered that a specially crafted value for the
    'Cache-Digest' header in a HTTP/2 request could cause a crash when
    the server actually tries to HTTP/2 PUSH a resource afterwards.

CVE-2020-11984

    Felix Wilhelm reported a buffer overflow flaw in the mod_proxy_uwsgi
    module which could result in information disclosure or potentially
    remote code execution.

CVE-2020-11993

    Felix Wilhelm reported that when trace/debug was enabled for the
    HTTP/2 module certain traffic edge patterns can cause logging
    statements on the wrong connection, causing concurrent use of
    memory pools.

For the stable distribution (buster), these problems have been fixed in
version 2.4.38-3+deb10u4.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl9NEuNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R5YQ/+JLGtVDLCq/TPAtxgqhE/QlE7+ptoFGXxY7+kScNZx2LCKpoXxrFmpfO/
HyjeGZgVlmggPyrvFu57NXbnPP4YnzgiRONuhLeoXq496zpz/sQjhNkKQkjs5Xdf
lfChNfMRblTeSKSHpEBlXyxx56CPa45BDFRI4jSbuhUJjl58SF7mfgJ9n0mVuWR/
DGo0snCU3+wOS6Ce7WQbh8Y8kSCZMt/KVgCNOFbM4IaKTgohLHNrqF1kmW7Ccq1/
OpY/P2GbHoKN9h9qRhfp8b+OUdbmg+57WRejkF2FX9XWLfGjnAbmW7TX5MquoK1N
xruYtvwIvqRvsidOPG9BPf1OD5WZwIKsFnGKc2yEXmjVe7RY4driNSyU6DRJN/a2
n958CVuEI7L/GTleIU/0MYX5SH98B8oCH4ojqXzDdjbjJXtq1nYe/X9tEIrYgHds
iB1oMwKE9Rwu4RDkHLX/uiJ8rJPkvc0d7JpA6vKzBK+CQLnFSWhg7N+fTNja/PJW
PeJsTPv8iHB3SvccHmhIxj7tSW41Ta5YDUUY2oIj746OqjV1gBeSM3j2JK1gYVSF
IZ1foL9qGLsQabI61llV+MxmKL3seiBfUF20yIeRcstqFcY/R0rxrIQl+bbAQOnX
Q09LQHxUzjS5MwXcrsfReCqQbrItqwbrU2Gs/kvN73CrM7ZX4ag=
=PNO5
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX02NXuNLKJtyKPYoAQjJLw/+JgeTt3KqtuNHK1xVu7IzqKZ8fnX7EhNi
1LFT3O7dv3O4hszWZ6gLehEVyjVWOV7UOvJb0X+s6pNHtDt2Kc890R7qZPtpecyT
IPHh9R+vkXj96goYAOEHFd0Am0tEwPq52EHAGfnxVJEaf9id9WnUO3vkB6bvOQuS
s3i8nZkyKKW7O1jZ0AVoNleHB4Uvjx3hu4dZVioVUj5V8YUPwefJgzU74G1XQQrM
6V1wJpoIOuQU1sb4G8Qh6vl1Q0jOKnU1dhx1i//ptBeERlGdQSvI7Kmr9wouNid8
J/XwA4g21MZRtxm/odthO+3HXdM6WyE6w1yGaGsUq3ySva5/qX/WPL7tcrogzWyj
jC3b6GIM9MeEpCGYEOB9CpFzIocts7duFPN5aihhlxMwhHVal2elZ8bVV62r9Mwg
z5NIA2/Wq08EzupvFW9RgzT3NWZa742aJowzzSnf0cIVmhCWv5Rzt7Q2BSxVtW0/
zM3kLqaOPrQucp2DBvbKzzNDU7YRGjykZiBtY3mCqVDhnQmBqwckVvHCKxixB/F2
TSORy0JiuG65MUgSKmdXdNj/+tz4y3kYJjGJV/JLIz0+raVfdY692XlOeeIRdJda
HEu385S/XFBGL4svYs5vRFoLM1HE3izPsDY7ubiwcyq4fgVNJIt12n6/YURUoxAS
6PwAq73M2Z4=
=W73G
-----END PGP SIGNATURE-----