Bugzilla – Bug 1175071
VUL-0: CVE-2020-9490: apache2: specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash
Last modified: 2022-01-05 12:35:12 UTC
CVE-2020-9490 Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9490 http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-9490.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490 https://lists.apache.org/thread.html/r9e9f1a7609760f0f80562eaaec2aa3c32d525c3e0fca98b475240c71@%3Cdev.httpd.apache.org%3E https://security.gentoo.org/glsa/202008-04
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-9490.html https://svn.apache.org/viewvc?view=revision&revision=1880396
Will submit for 15sp2,15,12sp2/apache2.
isc:home:pgajdos:apache-test:after looks good. I believe all fixed.
SUSE-SU-2020:2311-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1174052,1175070,1175071,1175074 CVE References: CVE-2020-11984,CVE-2020-11993,CVE-2020-9490 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): apache2-2.4.43-3.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): apache2-2.4.43-3.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2344-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1175070,1175071,1175074 CVE References: CVE-2020-11984,CVE-2020-11993,CVE-2020-9490 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): apache2-2.4.33-3.33.1 SUSE Linux Enterprise Server 15-LTSS (src): apache2-2.4.33-3.33.1 SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): apache2-2.4.33-3.33.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): apache2-2.4.33-3.33.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): apache2-2.4.33-3.33.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1285-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1174052,1175070,1175071,1175074 CVE References: CVE-2020-11984,CVE-2020-11993,CVE-2020-9490 JIRA References: Sources used: openSUSE Leap 15.2 (src): apache2-2.4.43-lp152.2.3.1
openSUSE-SU-2020:1293-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1175070,1175071,1175074 CVE References: CVE-2020-11984,CVE-2020-11993,CVE-2020-9490 JIRA References: Sources used: openSUSE Leap 15.1 (src): apache2-2.4.33-lp151.8.15.1
SUSE-SU-2020:2450-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1175070,1175071,1175072 CVE References: CVE-2020-11985,CVE-2020-11993,CVE-2020-9490 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): apache2-2.4.23-29.63.1 SUSE OpenStack Cloud Crowbar 8 (src): apache2-2.4.23-29.63.1 SUSE OpenStack Cloud 9 (src): apache2-2.4.23-29.63.1 SUSE OpenStack Cloud 8 (src): apache2-2.4.23-29.63.1 SUSE OpenStack Cloud 7 (src): apache2-2.4.23-29.63.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): apache2-2.4.23-29.63.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): apache2-2.4.23-29.63.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): apache2-2.4.23-29.63.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): apache2-2.4.23-29.63.1 SUSE Linux Enterprise Server 12-SP5 (src): apache2-2.4.23-29.63.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): apache2-2.4.23-29.63.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): apache2-2.4.23-29.63.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): apache2-2.4.23-29.63.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): apache2-2.4.23-29.63.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): apache2-2.4.23-29.63.1 SUSE Enterprise Storage 5 (src): apache2-2.4.23-29.63.1 HPE Helion Openstack 8 (src): apache2-2.4.23-29.63.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released
SUSE-SU-2020:3067-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1175070,1175071,1178074 CVE References: CVE-2020-11993,CVE-2020-9490 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): apache2-2.4.33-3.41.1 SUSE Linux Enterprise Server 15-LTSS (src): apache2-2.4.33-3.41.1 SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): apache2-2.4.33-3.41.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): apache2-2.4.33-3.41.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): apache2-2.4.33-3.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1792-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1175070,1175071,1178074 CVE References: CVE-2020-11993,CVE-2020-9490 JIRA References: Sources used: openSUSE Leap 15.1 (src): apache2-2.4.33-lp151.8.21.1