Apache HTTP Server: DoS in HTTP/2 with initial windows size 0

...

CVE-2023-31122 Apache HTTP Server: mod_macro buffer over-read

Out-of-bounds Read vulnerability in modmacro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57...

CVE-2023-31122

Out-of-bounds Read vulnerability in modmacro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57...

CVE-2023-31122 Apache HTTP Server: mod_macro buffer over-read

Out-of-bounds Read vulnerability in modmacro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57...

CVE-2023-31122

CVE-2023-31122 is an out-of-bounds read vulnerability in Apache HTTP Server’s mod_macro affecting versions up to 2.4.57. Connected advisories (Debian, AlmaLinux, Amazon Linux, CIRCL sighting) confirm multiple distro advisories have issued patches and upgrades (e.g., Debian 2.4.59 fixes; AlmaLinux...

CVE-2023-31122

Out-of-bounds Read vulnerability in modmacro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57...

CVE-2023-43622 Apache HTTP Server: DoS in HTTP/2 with initial windows size 0

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in...

CVE-2023-43622

CVE-2023-43622 affects Apache HTTP Server via the mod_http2 implementation. An attacker opening an HTTP/2 connection with an initial window size of 0 could block handling of that connection indefinitely, potentially exhausting server worker resources in a pattern similar to the slow loris attack....

CVE-2023-43622

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in...

CVE-2023-43622 Apache HTTP Server: DoS in HTTP/2 with initial windows size 0

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in...

CVE-2023-45802 Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

When a HTTP/2 stream was reset RST frame by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing...

CVE-2023-45802 Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

When a HTTP/2 stream was reset RST frame by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing...

Ubuntu 16.04 ESM : uWSGI vulnerability (USN-5054-2)

The remote Ubuntu 16.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-5054-2 advisory. USN-5054-1 fixed a vulnerability in uWSGI for Ubuntu 18.04 LTS. This update provides the corresponding fixes for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Tenable ha...

SUSE CVE-2023-43622

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in...

[slackware-security] httpd

New httpd packages are available for Slackware 14.0, 14.1, 14.2, 15.0, and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/httpd-2.4.58-i586-1slack15.0.txz: Upgraded. This update fixes bugs and security issues: moderate: Apache HTTP Server...

Security Bulletin: IBM Rational Build Forge is vulnerable to a denial of service due to the use of Apache HTTP server (CVE-2022-29404).

Summary Apache HTTP server is used by IBM Rational Build Forge. This fix includes Apache Http Server 2.4.54 Vulnerability Details CVEID:CVE-2022-29404 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by no default limit on possible input size. By sending a specially...

Security Bulletin: IBM Rational Build Forge is vulnerable a remote attacker to execute arbitrary code on the system due to the use of Apache HTTP Server (CVE-2022-23943)

Summary IBM Rational Build Forge is affected by CVE-2022-23943. Vulnerability Details CVEID:CVE-2022-23943 DESCRIPTION: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in modsed. By sending specially crafted data, an...

Security Bulletin: IBM Rational Build Forge is vulnerable to HTTP request smuggling due to the use of Apache HTTP server (CVE-2022-26377).

Summary Apache HTTP server is used by IBM Rational Build Forge. This fix includes Apache Http Server 2.4.54 Vulnerability Details CVEID:CVE-2022-26377 DESCRIPTION: Apache HTTP Server is vulnerable to HTTP request smuggling, caused by an inconsistent Interpretation of HTTP Requests vulnerability i...

FreeBSD : Apache httpd -- Multiple vulnerabilities (f923205f-6e66-11ee-85eb-84a93843eb75)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the f923205f-6e66-11ee-85eb-84a93843eb75 advisory. - modmacro buffer over-read: Out-of-bounds Read vulnerability in modmacro of Apache HTTP...

Apache 2.4.x < 2.4.58 Multiple Vulnerabilities

The version of Apache httpd installed on the remote host is prior to 2.4.58. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.58 advisory. - Apache HTTP Server: DoS in HTTP/2 with initial windows size 0: An attacker, opening a HTTP/2 connection with an initial windo...