Advisories ยป MGASA-2019-0109

Updated apache packages fix security vulnerability

Publication date: 14 Mar 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-17189 , CVE-2018-17199


By sending request bodies in a slow loris way to plain resources, the h2
stream for that request unnecessarily occupied a server thread cleaning up
that incoming data. This affects only HTTP/2 (mod_http2) connections in
Apache HTTP Server versions 2.4.37 and prior (CVE-2018-17189).

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the
session expiry time before decoding the session. This causes session
expiry time to be ignored for mod_session_cookie sessions since the expiry
time is loaded when the session is decoded (CVE-2018-17199).

The apache package has been updated to version 2.4.38, fixing these issues
and several other bugs.  See the upstream CHANGES files for details.