|
Message-ID: <adff0383-6beb-d16d-c056-4f5ce5b497d7@apache.org> Date: Thu, 04 Apr 2024 13:56:54 +0000 From: Eric Covener <covener@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames Severity: moderate Affected versions: - Apache HTTP Server 2.4.17 through 2.4.58 Description: HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credit: Bartek Nowotarski (https://nowotarski.info/) (finder) References: https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-27316 Timeline: 2024-02-22: Reported to security team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.