Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

To: Salvatore Bonaccorso <carnil@debian.org>, 920220@bugs.debian.org
Subject: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
From: Xavier <yadd@debian.org>
Date: Wed, 23 Jan 2019 09:18:36 +0100
Message-id: <[🔎] 26de356e-46ea-2847-ed1f-e2a7653db1d1@debian.org>
Reply-to: Xavier <yadd@debian.org>, 920220@bugs.debian.org
In-reply-to: <[🔎] 154818831845.19252.4400934716675438065.reportbug@eldamar.local>
References: <[🔎] 154818831845.19252.4400934716675438065.reportbug@eldamar.local> <[🔎] 154818831845.19252.4400934716675438065.reportbug@eldamar.local>

Hello,

Debian bug is tagged as "patch", but I didn't find any patch in the
related documents. Can you give me the link to patch ?

Cheers,
Xavier

Le 22/01/2019 à 21:18, Salvatore Bonaccorso a écrit :
> Source: apache2
> Version: 2.4.37-1
> Severity: grave
> Tags: patch security upstream
> 
> Hi (Stefan),
> 
> I agree the severity is not the best choosen one for this issue, it is
> more to ensure we could release buster with an appropriate fix already
> before the release. If you disagree, please do downgrade.
> 
> The following vulnerability was published for apache2.
> 
> CVE-2019-0190[0]:
> mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-0190
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190
> [1] https://marc.info/?l=oss-security&m=154817901921421&w=2
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
>

Reply to:

Follow-Ups:
- Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#920235: Reading from /dev/urandom hangs from an Apache2 cgi-bin, but not from the shell
Next by Date: Bug#902493: apache2-bin: Event MPM listener thread may get blocked by SSL shutdowns
Previous by thread: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Next by thread: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Index(es):
- Date
- Thread