Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:alpm/archlinux/apache@2.4.38-1
purl pkg:alpm/archlinux/apache@2.4.38-1
Next non-vulnerable version 2.4.39-1
Latest non-vulnerable version 2.4.55-1
Risk 10.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-4sss-a8ne-kqbc
Aliases:
CVE-2019-0197
When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for https: and did not configure the "H2Upgrade on" is unaffected by this.
2.4.39-1
Affected by 0 other vulnerabilities.
VCID-6vxq-uxxw-ybeh
Aliases:
CVE-2019-0196
Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly.
2.4.39-1
Affected by 0 other vulnerabilities.
VCID-ehv1-yvpu-ubcg
Aliases:
CVE-2019-0211
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
2.4.39-1
Affected by 0 other vulnerabilities.
VCID-ugdv-apr8-g3bz
Aliases:
CVE-2019-0215
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.
2.4.39-1
Affected by 0 other vulnerabilities.
VCID-uwqg-yytc-vfae
Aliases:
CVE-2019-0220
When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
2.4.39-1
Affected by 0 other vulnerabilities.
VCID-w6p6-u8ku-k3f6
Aliases:
CVE-2019-0217
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
2.4.39-1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (3)
Vulnerability Summary Aliases
VCID-7u2r-egf2-vfhx By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. CVE-2018-17189
VCID-7vjg-vetg-p7f6 A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts. CVE-2019-0190
VCID-ct26-19cq-8kd7 In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. CVE-2018-17199

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T18:25:59.673762+00:00 Arch Linux Importer Fixing VCID-7u2r-egf2-vfhx https://security.archlinux.org/AVG-857 38.0.0
2026-04-01T18:25:59.649092+00:00 Arch Linux Importer Fixing VCID-ct26-19cq-8kd7 https://security.archlinux.org/AVG-857 38.0.0
2026-04-01T18:25:59.624701+00:00 Arch Linux Importer Fixing VCID-7vjg-vetg-p7f6 https://security.archlinux.org/AVG-857 38.0.0
2026-04-01T18:24:30.056718+00:00 Arch Linux Importer Affected by VCID-6vxq-uxxw-ybeh https://security.archlinux.org/AVG-946 38.0.0
2026-04-01T18:24:30.033798+00:00 Arch Linux Importer Affected by VCID-4sss-a8ne-kqbc https://security.archlinux.org/AVG-946 38.0.0
2026-04-01T18:24:30.008980+00:00 Arch Linux Importer Affected by VCID-ehv1-yvpu-ubcg https://security.archlinux.org/AVG-946 38.0.0
2026-04-01T18:24:29.983764+00:00 Arch Linux Importer Affected by VCID-ugdv-apr8-g3bz https://security.archlinux.org/AVG-946 38.0.0
2026-04-01T18:24:29.958207+00:00 Arch Linux Importer Affected by VCID-w6p6-u8ku-k3f6 https://security.archlinux.org/AVG-946 38.0.0
2026-04-01T18:24:29.934664+00:00 Arch Linux Importer Affected by VCID-uwqg-yytc-vfae https://security.archlinux.org/AVG-946 38.0.0