{"id":"USN-4113-1","summary":"apache2 vulnerabilities","details":"Stefan Eissing discovered that the HTTP/2 implementation in Apache\ndid not properly handle upgrade requests from HTTP/1.1 to HTTP/2 in\nsome situations. A remote attacker could use this to cause a denial\nof service (daemon crash). This issue only affected Ubuntu 18.04 LTS\nand Ubuntu 19.04. (CVE-2019-0197)\n\nCraig Young discovered that a memory overwrite error existed in\nApache when performing HTTP/2 very early pushes in some situations. A\nremote attacker could use this to cause a denial of service (daemon\ncrash). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04.\n(CVE-2019-10081)\n\nCraig Young discovered that a read-after-free error existed in the\nHTTP/2 implementation in Apache during connection shutdown. A remote\nattacker could use this to possibly cause a denial of service (daemon\ncrash) or possibly expose sensitive information. This issue only\naffected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-10082)\n\nMatei Badanoiu discovered that the mod_proxy component of\nApache did not properly filter URLs when reporting errors in some\nconfigurations. A remote attacker could possibly use this issue to\nconduct cross-site scripting (XSS) attacks. (CVE-2019-10092)\n\nDaniel McCarney discovered that mod_remoteip component of Apache\ncontained a stack buffer overflow when parsing headers from a trusted\nintermediary proxy in some situations. A remote attacker controlling a\ntrusted proxy could use this to cause a denial of service or possibly\nexecute arbitrary code. This issue only affected Ubuntu 19.04.\n(CVE-2019-10097)\n\nYukitsugu Sasaki discovered that the mod_rewrite component in Apache\nwas vulnerable to open redirects in some situations. A remote attacker\ncould use this to possibly expose sensitive information or bypass\nintended restrictions. (CVE-2019-10098)\n\nJonathan Looney discovered that the HTTP/2 implementation in Apache did\nnot properly limit the amount of buffering for client connections in\nsome situations. A remote attacker could use this to cause a denial\nof service (unresponsive daemon). This issue only affected Ubuntu\n18.04 LTS and Ubuntu 19.04. (CVE-2019-9517)\n","modified":"2026-04-27T15:33:05.387029386Z","published":"2019-08-29T22:31:46Z","related":["UBUNTU-CVE-2019-0197","UBUNTU-CVE-2019-10081","UBUNTU-CVE-2019-10082","UBUNTU-CVE-2019-10092","UBUNTU-CVE-2019-10098","UBUNTU-CVE-2019-9517"],"upstream":["CVE-2019-0197","CVE-2019-10081","CVE-2019-10082","CVE-2019-10092","CVE-2019-10098","CVE-2019-9517","UBUNTU-CVE-2019-0197","UBUNTU-CVE-2019-10081","UBUNTU-CVE-2019-10082","UBUNTU-CVE-2019-10092","UBUNTU-CVE-2019-10097","UBUNTU-CVE-2019-10098","UBUNTU-CVE-2019-9517"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4113-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-0197"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-9517"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-10081"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-10082"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-10092"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-10097"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-10098"}],"affected":[{"package":{"name":"apache2","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/apache2@2.4.18-2ubuntu3.12?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.18-2ubuntu3.12"}]}],"versions":["2.4.12-2ubuntu2","2.4.17-1ubuntu1","2.4.17-2ubuntu1","2.4.17-3ubuntu1","2.4.18-1ubuntu1","2.4.18-2ubuntu1","2.4.18-2ubuntu2","2.4.18-2ubuntu3","2.4.18-2ubuntu3.1","2.4.18-2ubuntu3.2","2.4.18-2ubuntu3.3","2.4.18-2ubuntu3.4","2.4.18-2ubuntu3.5","2.4.18-2ubuntu3.7","2.4.18-2ubuntu3.8","2.4.18-2ubuntu3.9","2.4.18-2ubuntu3.10"],"ecosystem_specific":{"binaries":[{"binary_version":"2.4.18-2ubuntu3.12","binary_name":"apache2"},{"binary_version":"2.4.18-2ubuntu3.12","binary_name":"apache2-bin"},{"binary_version":"2.4.18-2ubuntu3.12","binary_name":"apache2-data"},{"binary_version":"2.4.18-2ubuntu3.12","binary_name":"apache2-suexec-custom"},{"binary_version":"2.4.18-2ubuntu3.12","binary_name":"apache2-suexec-pristine"},{"binary_version":"2.4.18-2ubuntu3.12","binary_name":"apache2-utils"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4113-1.json","cves_map":{"cves":[{"id":"CVE-2019-10092","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2019-10098","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:16.04:LTS"}}},{"package":{"name":"apache2","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/apache2@2.4.29-1ubuntu4.10?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.29-1ubuntu4.10"}]}],"versions":["2.4.27-2ubuntu3","2.4.29-1ubuntu1","2.4.29-1ubuntu2","2.4.29-1ubuntu3","2.4.29-1ubuntu4","2.4.29-1ubuntu4.1","2.4.29-1ubuntu4.2","2.4.29-1ubuntu4.3","2.4.29-1ubuntu4.4","2.4.29-1ubuntu4.5","2.4.29-1ubuntu4.6","2.4.29-1ubuntu4.7","2.4.29-1ubuntu4.8"],"ecosystem_specific":{"binaries":[{"binary_version":"2.4.29-1ubuntu4.10","binary_name":"apache2"},{"binary_version":"2.4.29-1ubuntu4.10","binary_name":"apache2-bin"},{"binary_version":"2.4.29-1ubuntu4.10","binary_name":"apache2-data"},{"binary_version":"2.4.29-1ubuntu4.10","binary_name":"apache2-suexec-custom"},{"binary_version":"2.4.29-1ubuntu4.10","binary_name":"apache2-suexec-pristine"},{"binary_version":"2.4.29-1ubuntu4.10","binary_name":"apache2-utils"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4113-1.json","cves_map":{"cves":[{"id":"CVE-2019-0197","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2019-9517","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-10081","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-10082","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2019-10092","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2019-10098","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:18.04:LTS"}}}],"schema_version":"1.7.5"}