Bugzilla – Bug 1122840
VUL-0: CVE-2019-0190: apache2: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Last modified: 2019-01-23 07:34:20 UTC
CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Vendor: The Apache Software Foundation
A bug exists in the way mod_ssl handled client renegotiations.
A remote attacker could send a carefully crafted request that
would cause mod_ssl to enter a loop leading to a denial of
service. This bug can be only triggered with Apache HTTP Server
version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
an interaction in changes to handling of renegotiation attempts.
All httpd users consuming mod_ssl combined with OpenSSL 1.1.1 or later
should upgrade to 2.4.38 or later.
The issue was identified through user bug reports.
Which means only Tumbleweed, for which the fix is already on its way.
(Where it is built against 1.1.0.)