Date: Wed, 14 Aug 2019 15:50:09 -0500 From: Daniel Ruggeri <druggeri@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2019-10082: mod_http2, read-after-free in h2 connection shutdown CVE-2019-10082: mod_http2, read-after-free in h2 connection shutdown Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.18 to 2.4.39 Description: Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. Mitigation: All httpd users deploying mod_http2 should upgrade to 2.4.40 or later. Unpatch servers can disable the h2/h2c protocol. Credit: The issue was discovered by Craig Young of Tripwire VERT, <vuln-report@...ur3.us>. References: https://httpd.apache.org/security/vulnerabilities_24.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.