Bugzilla – Bug 1131241
VUL-0: CVE-2019-0220: apache2: URL normalization inconsistincy
Last modified: 2021-01-12 12:15:45 UTC
CVE-2019-0220 When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. Acknowledgements: The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH. Reported to security team 20th January 2019 Issue public 1st April 2019 Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0220 https://httpd.apache.org/security/vulnerabilities_24.html
https://svn.apache.org/viewvc?view=revision&revision=1855705
https://svn.apache.org/viewvc?view=revision&revision=1855737 respectively
plus https://svn.apache.org/viewvc?view=revision&revision=1855751
Submitted for 15,12sp2,12sp1,12,11sp1,10sp3/apache2. I believe all fixed
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2019-04-11. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64252
SUSE-SU-2019:0873-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1131233,1131237,1131239,1131241,1131245 CVE References: CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): apache2-2.4.33-3.15.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): apache2-2.4.33-3.15.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:0878-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1131233,1131237,1131239,1131241,1131245 CVE References: CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220 Sources used: SUSE OpenStack Cloud 7 (src): apache2-2.4.23-29.40.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): apache2-2.4.23-29.40.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): apache2-2.4.23-29.40.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): apache2-2.4.23-29.40.1 SUSE Linux Enterprise Server 12-SP4 (src): apache2-2.4.23-29.40.1 SUSE Linux Enterprise Server 12-SP3 (src): apache2-2.4.23-29.40.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): apache2-2.4.23-29.40.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): apache2-2.4.23-29.40.1 SUSE Enterprise Storage 4 (src): apache2-2.4.23-29.40.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:0888-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1122839,1131239,1131241 CVE References: CVE-2018-17199,CVE-2019-0217,CVE-2019-0220 Sources used: SUSE Linux Enterprise Server 12-SP1-LTSS (src): apache2-2.4.16-20.24.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:0889-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1122839,1131239,1131241 CVE References: CVE-2018-17199,CVE-2019-0217,CVE-2019-0220 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): apache2-2.4.10-14.36.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1190-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1131233,1131237,1131239,1131241,1131245 CVE References: CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220 Sources used: openSUSE Leap 42.3 (src): apache2-2.4.23-45.1
openSUSE-SU-2019:1209-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1131233,1131237,1131239,1131241,1131245 CVE References: CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220 Sources used: openSUSE Leap 15.0 (src): apache2-2.4.33-lp150.2.17.1
openSUSE-SU-2019:1258-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1131233,1131237,1131239,1131241,1131245 CVE References: CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220 Sources used: openSUSE Leap 42.3 (src): apache2-2.4.23-49.1
done