httpd24-1.1-19.AXS4, httpd24-httpd-2.4.25-9.AXS4.1, httpd24-nghttp2-1.7.1-8.AXS4

The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.

Security Fix(es):

* httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)

* httpd: mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)

* httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)

* httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)

* httpd: URL normalization inconsistency (CVE-2019-0220)

* httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* `ExtendedStatus Off` directive when using mod_systemd causes systemctl to hang (BZ#1669213)

* httpd can not be started with mod_md enabled (BZ#1673019)

* Rebuild metapackage with latest scl-utils (BZ#1696527)

* fix a regression introduced in r1740928 (BZ#1707636)

* duplicated cookie in Apache httpd with mod_session (BZ#1725922)

* Unexpected OCSP in proxy SSL connection (BZ#1744120)

Enhancement(s):

* RFE: updated collection for httpd 2.4 (BZ#1726706)

Additional Changes:

For detailed information on changes in this release, see the Asianux Software Collections 3.4 Release Notes linked from the References section.

CVE-2018-17189
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
CVE-2018-17199
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVE-2019-0217
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
CVE-2019-0220
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
CVE-2019-10092
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
CVE-2019-10097
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.