This bug was fixed in the package apache2 - 2.4.38-2ubuntu2.2
--------------- apache2 (2.4.38-2ubuntu2.2) disco-security; urgency=medium
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service. - d/p/mod_http2-1.15.4-backport-0004-CVE-2019-9517.patch: improve http/2 module keepalive throttling. - CVE-2019-9517 * SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash denial of service (LP: #1840188) - d/p/mod_http2-1.14.1-backport-0001-Merge-r1852038-r1852101-from-trunk-CVE-2019-0197.patch: re-use slave connections and fix slave connection keepalives counter. - CVE-2019-0197 * SECURITY UPDATE: mod_http2 memory corruption on early pushes - included in mod_http2 1.15.4 backport - CVE-2019-10081 * SECURITY UPDATE: read-after-free in mod_http2 h2 connection shutdown. - included in mod_http2 1.15.4 backport - CVE-2019-10082 * SECURITY UPDATE: mod_remoteip: Stack buffer overflow and NULL pointer dereference. - d/p/CVE-2019-10097.patch: add better sanity checks. - CVE-2019-10097 * SECURITY UPDATE: Limited cross-site scripting in mod_proxy error page. - d/p/CVE-2019-10092-1.patch: Remove request details from built-in error documents. - d/p/CVE-2019-10092-2.patch: Add missing log numbers. - d/p/CVE-2019-10092-3.patch: mod_proxy: Improve XSRF/XSS protection. - CVE-2019-10092-1 * SECURITY UPDATE: mod_rewrite potential open redirect - d/p/CVE-2019-10098.patch: Set PCRE_DOTALL by default. - CVE-2019-10098 * Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517, CVE-2019-10081, and CVE-2019-10082 fixes: - add d/p/mod_http2-1.14.1-backport-*.patches and d/p/mod_http2-1.15.4-backport-*.patches
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:31:40 -0700
This bug was fixed in the package apache2 - 2.4.38-2ubuntu2.2
---------------
apache2 (2.4.38-2ubuntu2.2) disco-security; urgency=medium
* SECURITY UPDATE: HTTP/2 internal data buffering denial of service. http2-1. 15.4-backport- 0004-CVE- 2019-9517. patch: improve http2-1. 14.1-backport- 0001-Merge- r1852038- r1852101- from-trunk- CVE-2019- 0197.patch: 2019-10097. patch: add better sanity checks. 2019-10092- 1.patch: Remove request details from built-in 2019-10092- 2.patch: Add missing log numbers. 2019-10092- 3.patch: mod_proxy: Improve XSRF/XSS 2019-10098. patch: Set PCRE_DOTALL by default. http2-1. 14.1-backport- *.patches and p/mod_http2- 1.15.4- backport- *.patches
- d/p/mod_
http/2 module keepalive throttling.
- CVE-2019-9517
* SECURITY UPDATE: Upgrade request from http/1.1 to http/2 crash
denial of service (LP: #1840188)
- d/p/mod_
re-use slave connections and fix slave connection keepalives
counter.
- CVE-2019-0197
* SECURITY UPDATE: mod_http2 memory corruption on early pushes
- included in mod_http2 1.15.4 backport
- CVE-2019-10081
* SECURITY UPDATE: read-after-free in mod_http2 h2 connection
shutdown.
- included in mod_http2 1.15.4 backport
- CVE-2019-10082
* SECURITY UPDATE: mod_remoteip: Stack buffer overflow and NULL
pointer dereference.
- d/p/CVE-
- CVE-2019-10097
* SECURITY UPDATE: Limited cross-site scripting in mod_proxy
error page.
- d/p/CVE-
error documents.
- d/p/CVE-
- d/p/CVE-
protection.
- CVE-2019-10092-1
* SECURITY UPDATE: mod_rewrite potential open redirect
- d/p/CVE-
- CVE-2019-10098
* Backport mod_http2 v1.14.1 and v1.15.4 for CVE-2019-9517,
CVE-2019-10081, and CVE-2019-10082 fixes:
- add d/p/mod_
d/
-- Steve Beattie <email address hidden> Mon, 26 Aug 2019 06:31:40 -0700