Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1554168684.JAZHRVAC@httpd.apache.org>
Date: Mon, 01 Apr 2019 20:31:24 -0500
From: Daniel Ruggeri <druggeri@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-0197: mod_http2, possible crash on late upgrade


CVE-2019-0197: mod_http2, possible crash on late upgrade

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.34 to 2.4.38

Description:
When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2
on a https: host, an Upgrade request from http/1.1 to http/2 that was
not the first request on a connection could lead to a misconfiguration
and crash. Servers that never enabled the h2 protocol or only enabled it
for https: and did not set"H2Upgrade on" are unaffected by this issue.

Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.39 or later.

Credit:
The issue was discovered by Stefan Eissing, greenbytes.de.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.