From: Daniel Ruggeri <druggeri@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.17 to 2.4.37 Description: By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections in Apache HTTP Server versions 2.4.37 and prior. Mitigation: All httpd users deploying mod_http2 should upgrade to 2.4.38 or later. Credit: The issue was discovered by Gal Goldshtein of F5 Networks. References: https://httpd.apache.org/security/vulnerabilities_24.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.