Bug 1131241 – VUL-0: CVE-2019-0220: apache2: URL normalization inconsistincy

Bug 1131241 - (CVE-2019-0220) VUL-0: CVE-2019-0220: apache2: URL normalization inconsistincy

(CVE-2019-0220)
Summary:	VUL-0: CVE-2019-0220: apache2: URL normalization inconsistincy

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/228634/
Whiteboard:	maint:released:sle10-sp3:64253
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-04-02 08:22 UTC by Karol Babioch
Modified:	2021-01-12 12:15 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2019-04-02 08:22:40 UTC

CVE-2019-0220

When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

Acknowledgements: The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH.
Reported to security team 	20th January 2019
Issue public 	1st April 2019
Affects 	2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0220
https://httpd.apache.org/security/vulnerabilities_24.html

Comment 1 Petr Gajdos 2019-04-02 13:56:00 UTC

https://svn.apache.org/viewvc?view=revision&revision=1855705

Comment 2 Petr Gajdos 2019-04-02 14:08:24 UTC

https://svn.apache.org/viewvc?view=revision&revision=1855737 respectively

Comment 3 Petr Gajdos 2019-04-02 14:16:41 UTC

plus
https://svn.apache.org/viewvc?view=revision&revision=1855751

Comment 4 Petr Gajdos 2019-04-03 12:56:45 UTC

Submitted for 15,12sp2,12sp1,12,11sp1,10sp3/apache2.

I believe all fixed

Comment 6 Swamp Workflow Management 2019-04-04 14:04:04 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2019-04-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64252

Comment 7 Swamp Workflow Management 2019-04-04 22:10:30 UTC

SUSE-SU-2019:0873-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1131233,1131237,1131239,1131241,1131245
CVE References: CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    apache2-2.4.33-3.15.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    apache2-2.4.33-3.15.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2019-04-04 22:16:25 UTC

SUSE-SU-2019:0878-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1131233,1131237,1131239,1131241,1131245
CVE References: CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220
Sources used:
SUSE OpenStack Cloud 7 (src):    apache2-2.4.23-29.40.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    apache2-2.4.23-29.40.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    apache2-2.4.23-29.40.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    apache2-2.4.23-29.40.1
SUSE Linux Enterprise Server 12-SP4 (src):    apache2-2.4.23-29.40.1
SUSE Linux Enterprise Server 12-SP3 (src):    apache2-2.4.23-29.40.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    apache2-2.4.23-29.40.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    apache2-2.4.23-29.40.1
SUSE Enterprise Storage 4 (src):    apache2-2.4.23-29.40.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2019-04-05 10:14:08 UTC

SUSE-SU-2019:0888-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1122839,1131239,1131241
CVE References: CVE-2018-17199,CVE-2019-0217,CVE-2019-0220
Sources used:
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    apache2-2.4.16-20.24.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2019-04-05 10:16:04 UTC

SUSE-SU-2019:0889-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1122839,1131239,1131241
CVE References: CVE-2018-17199,CVE-2019-0217,CVE-2019-0220
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    apache2-2.4.10-14.36.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2019-04-11 13:09:32 UTC

openSUSE-SU-2019:1190-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1131233,1131237,1131239,1131241,1131245
CVE References: CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220
Sources used:
openSUSE Leap 42.3 (src):    apache2-2.4.23-45.1

Comment 12 Swamp Workflow Management 2019-04-16 13:10:27 UTC

openSUSE-SU-2019:1209-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1131233,1131237,1131239,1131241,1131245
CVE References: CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220
Sources used:
openSUSE Leap 15.0 (src):    apache2-2.4.33-lp150.2.17.1

Comment 13 Swamp Workflow Management 2019-04-23 19:10:20 UTC

openSUSE-SU-2019:1258-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1131233,1131237,1131239,1131241,1131245
CVE References: CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220
Sources used:
openSUSE Leap 42.3 (src):    apache2-2.4.23-49.1

Comment 14 Marcus Meissner 2019-07-18 07:05:56 UTC

done