This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.10
--------------- apache2 (2.4.29-1ubuntu4.10) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service. - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve http/2 module keepalive throttling. - CVE-2019-9517 * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash denial of service (LP: #1840188) - d/p/mod_http2-1.14.1-backport-0019-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch: re-use slave connections and fix slave connection keepalives counter. - CVE-2019-0197 * SECURITY UPDATE: mod_http2 memory corruption on early pushes - included in mod_http2 1.15.4 backport - CVE-2019-10081 * SECURITY UPDATE: read-after-free in mod_http2 h2 connection shutdown. - included in mod_http2 1.15.4 backport - CVE-2019-10082 * SECURITY UPDATE: Limited cross-site scripting in mod_proxy error page. - d/p/CVE-2019-10092-1.patch: Remove request details from built-in error documents. - d/p/CVE-2019-10092-2.patch: Add missing log numbers. - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS protection. - CVE-2019-10092-1 * SECURITY UPDATE: mod_rewrite potential open redirect. - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default. - CVE-2019-10098 * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517, CVE-2019-10081, and CVE-2019-10082 fixes: - add d/p/mod_http2-1.14.1-backport-*.patches and d/p/mod_http2-1.15.4-backport-*.patches - dropped the following patches included above: + d/p/CVE-2018-1302.patch + d/p/CVE-2018-1333.patch + d/p/CVE-2018-11763.patch + d/p/CVE-2018-17189.patch + d/p/CVE-2019-0196.patch
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:41:23 -0700
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.10
--------------- 1ubuntu4. 10) bionic-security; urgency=medium
apache2 (2.4.29-
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service. http2-1. 15.4-backport- 0004-CVE- 2019-9517. patch: improve http2-1. 14.1-backport- 0019-Merge- r1852038- r1852101- from-trunk- CVE-2019- 0197.patch: 2019-10092- 1.patch: Remove request details from built-in 2019-10092- 2.patch: Add missing log numbers. 2019-10092- 3.patch: mod_proxy: Improve XSRF/XSS 2019-10098. patch: Set PCRE_DOTALL by default. http2-1. 14.1-backport- *.patches and p/mod_http2- 1.15.4- backport- *.patches 2018-1302. patch 2018-1333. patch 2018-11763. patch 2018-17189. patch 2019-0196. patch
- d/p/mod_
http/2 module keepalive throttling.
- CVE-2019-9517
* SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
denial of service (LP: #1840188)
- d/p/mod_
re-use slave connections and fix slave connection keepalives
counter.
- CVE-2019-0197
* SECURITY UPDATE: mod_http2 memory corruption on early pushes
- included in mod_http2 1.15.4 backport
- CVE-2019-10081
* SECURITY UPDATE: read-after-free in mod_http2 h2 connection
shutdown.
- included in mod_http2 1.15.4 backport
- CVE-2019-10082
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-
error documents.
- d/p/CVE-
- d/p/CVE-
protection.
- CVE-2019-10092-1
* SECURITY UPDATE: mod_rewrite potential open redirect.
- d/p/CVE-
- CVE-2019-10098
* Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
CVE-2019-10081, and CVE-2019-10082 fixes:
- add d/p/mod_
d/
- dropped the following patches included above:
+ d/p/CVE-
+ d/p/CVE-
+ d/p/CVE-
+ d/p/CVE-
+ d/p/CVE-
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:41:23 -0700