| Package | apache2 |
|---|---|
| Version | 2.2.22-13+deb7u14 |
| Related CVEs | CVE-2019-0217 CVE-2019-0220 |
CVE-2019-0217
Simon Kappel discovered a race condition in mod_auth_digest when running in
a threaded server which could allow a user with valid credentials to
authenticate using another username, bypassing configured access control
restrictions.
CVE-2019-0220
Bernhard Lorenz of Alpha Strike Labs GmbH discovered a httpd URL
normalization inconsistincy when the path component of a request URL
contains multiple consecutive slashes ('/'), directives such as
LocationMatch and RewriteRule must account for duplicates in regular
expressions while other aspects of the servers processing will implicitly
collapse them.
For Debian 7 Wheezy, these problems have been fixed in version 2.2.22-13+deb7u14.
We recommend that you upgrade your apache2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.