ELA-117-1 apache2 security update

access control bypass

Related CVEs CVE-2019-0217 CVE-2019-0220


Simon Kappel discovered a race condition in mod_auth_digest when running in
a threaded server which could allow a user with valid credentials to
authenticate using another username, bypassing configured access control


Bernhard Lorenz of Alpha Strike Labs GmbH discovered a httpd URL
normalization inconsistincy when the path component of a request URL
contains multiple consecutive slashes ('/'), directives such as
LocationMatch and RewriteRule must account for duplicates in regular
expressions while other aspects of the servers processing will implicitly
collapse them.

For Debian 7 Wheezy, these problems have been fixed in version 2.2.22-13+deb7u14.

We recommend that you upgrade your apache2 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.