Alpine: multiple apache2 packages: security update to 2.4.39-r0

high Tenable Cloud Security Plugin ID 423648

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in
less-privileged child processes or threads (including scripts executed by an in-process scripting
interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by
manipulating the scoreboard. Non-Unix systems are not affected. (CVE-2019-0211)

- A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2
request handling could be made to access freed memory in string comparison when determining the method of
a request and thus process the request incorrectly. (CVE-2019-0196)

- A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host
or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not
the first request on a connection could lead to a misconfiguration and crash. Server that never enabled
the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this
issue. (CVE-2019-0197)

- In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client
certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.
(CVE-2019-0215)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-0196

https://security.alpinelinux.org/vuln/CVE-2019-0197

https://security.alpinelinux.org/vuln/CVE-2019-0211

https://security.alpinelinux.org/vuln/CVE-2019-0215

https://security.alpinelinux.org/vuln/CVE-2019-0217

https://security.alpinelinux.org/vuln/CVE-2019-0220

Plugin Details

Severity: High

ID: 423648

Version: Revision 1.8

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.9

Percentile: 99.36

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-0211

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/1/2019

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Reference Information

CVE: CVE-2019-0196, CVE-2019-0197, CVE-2019-0211, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220

BID: 107665, 107666, 107667, 107668, 107669, 107670

IAVA: 2019-A-0098-S