[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
From:       Daniel Ruggeri <druggeri () apache ! org>
Date:       2019-01-22 17:43:39
[Download RAW message or body]


CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.37

Description:
A bug exists in the way mod_ssl handled client renegotiations.
A remote attacker could send a carefully crafted request that
would cause mod_ssl to enter a loop leading to a denial of
service.  This bug can be only triggered with Apache HTTP Server
version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
an interaction in changes to handling of renegotiation attempts.

Mitigation:
All httpd users consuming mod_ssl combined with OpenSSL 1.1.1 or later
should upgrade to 2.4.38 or later.

Credit:
The issue was identified through user bug reports.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

[prev in list] [next in list] [prev in thread] [next in thread]