Apache HTTP Server 2.4 vulnerabilities
mportant: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-9490)
Apache HTTP Server versions 2.4.20 to 2.4.43
A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards.
Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Acknowledgements: Felix Wilhelm of Google Project Zero
Reported to security team | 24th April 2020 |
Issue public | 7th August 2020 |
Update Released | 7th August 2020 |
Affects | 2.4.43, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20 |
moderate: mod_proxy_uwsgi buffer overflow (CVE-2020-11984)
Apache HTTP Server versions 2.4.32 to 2.4.43
mod_proxy_uwsgi info disclosure and possible RCE
Acknowledgements: Discovered by Felix Wilhelm of Google Project Zero
Reported to security team | 22nd July 2020 |
Issue public | 7th August 2020 |
Update Released | 7th August 2020 |
Affects | 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33 |
moderate: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-11993)
Apache HTTP Server versions 2.4.20 to 2.4.43
When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.
Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
Acknowledgements: Felix Wilhelm of Google Project Zero
Reported to security team | 16th June 2020 |
Issue public | 7th August 2020 |
Update Released | 7th August 2020 |
Affects | 2.4.43, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20 |
https://httpd.apache.org/security/vulnerabilities_24.html
httpd 2.4 vulnerabilities - The Apache HTTP Server Project
Apache HTTP Server 2.4 vulnerabilities This page lists all security vulnerabilities fixed in released versions of Apache HTTP Server 2.4. Each vulnerability is given a security impact rating by the Apache security team - please note that this rating may we
httpd.apache.org