CVE-2019-0220 - Fedoraproject Fedora, Debian Debian Linux and Opensuse Leap
Moderate 5.3
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
Affected software
Fedoraproject Fedora
Debian Debian Linux
Opensuse Leap
Apache HTTP Server
Canonical Ubuntu Linux
Reference links
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html
- http://www.openwall.com/lists/oss-security/2019/04/02/6
- http://www.securityfocus.com/bid/107670
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.debian.org/debian-lts-announce/2019/04/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/
- https://seclists.org/bugtraq/2019/Apr/5
- https://support.f5.com/csp/article/K44591505
- https://usn.ubuntu.com/3937-1/
- https://www.debian.org/security/2019/dsa-4422