Bug 1122840 (CVE-2019-0190) - VUL-0: CVE-2019-0190: apache2: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Summary: VUL-0: CVE-2019-0190: apache2: mod_ssl 2.4.37 remote DoS when used with OpenS...
Status: RESOLVED WORKSFORME
Alias: CVE-2019-0190
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Petr Gajdos
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-23 07:02 UTC by Marcus Meissner
Modified: 2019-01-23 07:34 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-01-23 07:02:34 UTC 
via oss-sec

CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.37

Description:
A bug exists in the way mod_ssl handled client renegotiations.
A remote attacker could send a carefully crafted request that
would cause mod_ssl to enter a loop leading to a denial of
service.  This bug can be only triggered with Apache HTTP Server
version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
an interaction in changes to handling of renegotiation attempts.

Mitigation:
All httpd users consuming mod_ssl combined with OpenSSL 1.1.1 or later
should upgrade to 2.4.38 or later.

Credit:
The issue was identified through user bug reports.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
Comment 1 Petr Gajdos 2019-01-23 07:13:25 UTC 
Which means only Tumbleweed, for which the fix is already on its way.
Comment 2 Petr Gajdos 2019-01-23 07:34:20 UTC 
(Where it is built against 1.1.0.)