FreeBSD : Apache httpd -- Multiple vulnerabilities (76700d2f-d959-11ea-b53c-d4c9ef517024)

The Apache httpd projec reports : - modhttp2: Important: Push Diary Crash on Specifically Crafted HTTP/2 Header CVE-2020-9490 A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. -...

Apache Httpd < 2.4.44 : Push Diary Crash on Specifically Crafted HTTP/2 Header

In Apache HTTP Server versions 2.4.20 to 2.4.43, when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of modhttp2 above "info" will mitigate...

CVE-2019-10082

A read-after-free vulnerability was discovered in Apache httpd, in modhttp2. A specially crafted http/2 client session could cause the server to read memory that was previously freed during connection shutdown, potentially leading to a crash. Mitigation This flaw is only exploitable if Apache htt...

CVE-2019-10081

A vulnerability was found in Apache httpd, in modhttp2. Under certain circumstances, HTTP/2 early pushes could lead to memory corruption, causing a server to crash. Mitigation This flaw is only exploitable if Apache httpd is configured to respond to HTTP/2 requests, which is done by including "h2...

Security Bulletin: CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668 and CVE-2017-7679 in IBM i HTTP Server

Summary HTTP Server is supported by IBM i. IBM i has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2017-7679 DESCRIPTION: Apache HTTPD could allow a remote attacker to obtain sensitive information, caused by a buffer overread in modmime. By sending a specially crafted Content-Ty...

Moderate: Red Hat Security Advisory: httpd24-httpd security, bug fix, and enhancement update

An update for httpd24, httpd24-httpd, and httpd24-nghttp2 is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

RHEL 6 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 6 (Important) (RHSA-2019:3932)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3932 advisory. This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services offering. This release serves as a...

RHEL 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 7 (Important) (RHSA-2019:3933)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3933 advisory. This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services offering. This release serves as a...

Denial Of Service (DoS)

modhttp2 is vulnerable to denial of service DoS. The vulnerability exists through a read-after-free on a string compare...

Denial Of Service (DoS)

modhttp2 is vulnerable to denial of service DoS. The vulnerability exists through parsing of unneeded request bodies...

Important: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 6

Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2.4.37 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability...

Important: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release

Red Hat JBoss Core Services Pack Apache Server 2.4.37 zip release for RHEL 6, RHEL 7 and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

Amazon Linux 2 : mod_http2 (ALAS-2019-1342) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering)

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority ...

Important: mod_http2

Issue Overview: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and...

Amazon Linux AMI : httpd24 (ALAS-2019-1311) (Internal Data Buffering)

A vulnerability was found in Apache httpd, in modhttp2. Under certain circumstances, HTTP/2 early pushes could lead to memory corruption, causing a server to crash.CVE-2019-10081 A read-after-free vulnerability was discovered in Apache httpd, in modhttp2. A specially crafted http/2 client session...

CVE-2017-7659

A NULL pointer dereference flaw was found in the modhttp2 module of httpd. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP/2 request...

httpd:2.4 security update

httpd 2.4.37-12.0.1 - Set vstring per ORACLESUPPORTPRODUCT Orabug: 29892262 - Replace index.html with Oracle's index page oracleindex.html 2.4.37-12 - Resolves: 1744997 - CVE-2019-9511 httpd:2.4/modhttp2: HTTP/2: large amount of data request leads to denial of service - Resolves: 1745084 -...

SUSE SLES12 Security Update : apache2 (SUSE-SU-2019:2329-1) (Internal Data Buffering)

This update for apache2 fixes the following issues : Security issues fixed : CVE-2019-9517: Fixed HTTP/2 implementations that are vulnerable to unconstrained interal data buffering bsc1145575. CVE-2019-10081: Fixed modhttp2 that is vulnerable to memory corruption on early pushes bsc1145742...

SUSE-SU-2019:2329-1 Security update for apache2

This update for apache2 fixes the following issues: Security issues fixed: - CVE-2019-9517: Fixed HTTP/2 implementations that are vulnerable to unconstrained interal data buffering bsc1145575. - CVE-2019-10081: Fixed modhttp2 that is vulnerable to memory corruption on early pushes bsc1145742. -...

Fedora 30 : mod_http2 (2019-63ba15cc83) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering)

Rebuilt with newer nghttp2 ---- This update includes the latest upstream release of modhttp2, version 1.15.3. Upstream changes include : - fixes Timeout vs. KeepAliveTimeout behaviour, see PR 63534. - Fixes stream cleanup when connection throttling is in place. - Counts stream resets by client on...