Bug 1695036 (CVE-2019-0220)
| Summary: | CVE-2019-0220 httpd: URL normalization inconsistency | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | Maryna Nalbandian <mnalband> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | anon.amish, bmcclain, csutherl, cylopez, dblechte, dfediuck, eedri, gzaronik, hhorak, huzaifas, jclere, jdoyle, jkaluza, jorton, krathod, lgao, luhliari, mbabacek, mgoldboi, michal.skrivanek, mturk, myarboro, pahan, pslavice, rsvoboda, sbonazzo, sherold, twalsh, weli, yoguma, yozone, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | httpd 2.4.39 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 19:20:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1695046, 1696095, 1696096, 1696097 | ||
| Bug Blocks: | 1694984 | ||
External References: https://httpd.apache.org/security/vulnerabilities_24.html http://www.apache.org/dist/httpd/CHANGES_2.4 Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1695046] Statement: Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This flaw has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Mitigation: This flaw can be mitigation by replacing multiple consecutive slashes, used in directives that match against the path component of the request URL with regular expressions. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2343 https://access.redhat.com/errata/RHSA-2019:2343 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-0220 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3436 https://access.redhat.com/errata/RHSA-2019:3436 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:4126 https://access.redhat.com/errata/RHSA-2019:4126 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2020:0251 https://access.redhat.com/errata/RHSA-2020:0251 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 JBoss Core Services on RHEL 7 Via RHSA-2020:0250 https://access.redhat.com/errata/RHSA-2020:0250 |
When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.