FreeBSD: VID-CAF545F2-C0D9-11E9-9051-4C72B94353B5 (CVE-2019-10098): Apache -- Multiple vulnerabilities

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-CAF545F2-C0D9-11E9-9051-4C72B94353B5:

SO-AND-SO reports:

SECURITY: CVE-2019-10081

mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",

could lead to an overwrite of memory in the pushing request's pool,

leading to crashes. The memory copied is that of the configured push

link header values, not data supplied by the client.

SECURITY: CVE-2019-9517

mod_http2: a malicious client could perform a DoS attack by flooding

a connection with requests and basically never reading responses

on the TCP connection. Depending on h2 worker dimensioning, it was

possible to block those with relatively few connections.

SECURITY: CVE-2019-10098

rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable

matches and substitutions with encoded line break characters.

SECURITY: CVE-2019-10092

Remove HTML-escaped URLs from canned error responses to prevent misleading

text/links being displayed via crafted links.

SECURITY: CVE-2019-10097

mod_remoteip: Fix stack buffer overflow and NULL pointer deference

when reading the PROXY protocol header.

CVE-2019-10082

mod_http2: Using fuzzed network input, the http/2 session

handling could be made to read memory after being freed,

during connection shutdown.