Date: Mon, 01 Apr 2019 20:31:24 -0500 From: Daniel Ruggeri <druggeri@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2019-0197: mod_http2, possible crash on late upgrade CVE-2019-0197: mod_http2, possible crash on late upgrade Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.34 to 2.4.38 Description: When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Servers that never enabled the h2 protocol or only enabled it for https: and did not set"H2Upgrade on" are unaffected by this issue. Mitigation: All httpd users deploying mod_http2 should upgrade to 2.4.39 or later. Credit: The issue was discovered by Stefan Eissing, greenbytes.de. References: https://httpd.apache.org/security/vulnerabilities_24.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.