Apache httpd -- denial of service in HTTP/2

2016-12-06T00:00:00
ID CB0BF1EC-BB92-11E6-A9A5-B499BAEBFEAF
Type freebsd
Reporter FreeBSD
Modified 2016-12-06T00:00:00

Description

mod_http2 reports:

The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations on request headers correctly when experimental module for the HTTP/2 protocol is used to access a resource. The net result is that a the server allocates too much memory instead of denying the request. This can lead to memory exhaustion of the server by a properly crafted request.