|Related CVEs||CVE-2019-0217 CVE-2019-0220|
Simon Kappel discovered a race condition in mod_auth_digest when running in a threaded server which could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Bernhard Lorenz of Alpha Strike Labs GmbH discovered a httpd URL normalization inconsistincy when the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
For Debian 7 Wheezy, these problems have been fixed in version 2.2.22-13+deb7u14.
We recommend that you upgrade your apache2 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/