{"id":"MGASA-2020-0327","summary":"Updated apache packages fix security vulnerability","details":"Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the\n'Cache-Digest' header in a HTTP/2 request would result in a crash when the\nserver actually tries to HTTP/2 PUSH a resource afterwards. Configuring the\nHTTP/2 feature via \"H2Push off\" will mitigate this vulnerability for unpatched\nservers (CVE-2020-9490).\n\nApache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and\npossible remote code execution (CVE-2020-11984).\n\nApache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for\nthe HTTP/2 module and on certain traffic edge patterns, logging statements were\nmade on the wrong connection, causing concurrent use of memory pools.\nConfiguring the LogLevel of mod_http2 above \"info\" will mitigate this\nvulnerability for unpatched servers (CVE-2020-11993).\n\nThe apache package has been updated to version 2.4.46, fixing these issues and\nother bugs.  See the upstream CHANGES file for details.\n","modified":"2026-04-16T04:44:19.086483674Z","published":"2020-08-18T17:41:27Z","upstream":["CVE-2020-11984","CVE-2020-11993","CVE-2020-9490"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0327.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27058"},{"type":"WEB","url":"https://httpd.apache.org/security/vulnerabilities_24.html#2.4.44"},{"type":"WEB","url":"https://downloads.apache.org/httpd/CHANGES_2.4.46"}],"affected":[{"package":{"name":"apache","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/apache?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.46-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0327.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}