ELA-117-1 apache2 security update

access control bypass

Packageapache2
Version2.2.22-13+deb7u14
Related CVE CVE-2019-0217 CVE-2019-0220

CVE-2019-0217

Simon Kappel discovered a race condition in mod_auth_digest when running in
a threaded server which could allow a user with valid credentials to
authenticate using another username, bypassing configured access control
restrictions.

CVE-2019-0220

Bernhard Lorenz of Alpha Strike Labs GmbH discovered a httpd URL
normalization inconsistincy when the path component of a request URL
contains multiple consecutive slashes ('/'), directives such as
LocationMatch and RewriteRule must account for duplicates in regular
expressions while other aspects of the servers processing will implicitly
collapse them.

For Debian 7 Wheezy, these problems have been fixed in version 2.2.22-13+deb7u14.

We recommend that you upgrade your apache2 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/