CVE-2019-0211

Published: 02 April 2019

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

Priority

High

CVSS 3 base score: 7.8

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.4.29-1ubuntu4.6)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.4.18-2ubuntu3.10)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(2.4.7-1ubuntu4.21)
Patches:
Upstream: https://github.com/apache/httpd/commit/df7edb5ddae609ea1fd4285f7439f0d590d97b37