Denial Of Service (DoS)

Apache HTTP Server is vulnerable to denial of serviceDoS attacks. A remote user could send a specially crafted HTTP/2 request to trigger a null pointer dereference in the modhttp2 component and cause the server process to crash...

Fedora 30 : mod_http2 (2019-75b4a34d4f)

This release adds the H2Padding configuration directive and has various bug fixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible withou...

Amazon Linux 2 : mod_http2 (ALAS-2019-1197)

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 modhttp2 connections.CVE-2018-17189 C Tenable Network...

Low: mod_http2

Issue Overview: In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 modhttp2 connections.CVE-2018-17189...

Amazon Linux 2 : httpd (ALAS-2019-1189)

In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads including scripts executed by an in-process scripting interpreter could execute arbitrary code with the privileges of the parent process usually root by manipulating the scoreboar...

Apache Httpd < 2.4.41 : mod_http2, read-after-free in h2 connection shutdown

Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown...

Apache Httpd < 2.4.41 : mod_http2, DoS attack by exhausting h2 workers.

A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections...

Internet Bug Bounty: CVE-2019-0196: mod_http2 with scoreboard Use-After-Free (Read)

A crafted HTTP2 request can trigger reference to request data from a memory pool after its destruction. This memory is subsequently used as input to an sprintf type function for constructing a string value. This unsafe memory access ultimately means that the r-therequest string is poisoned with...

Debian DSA-4422-1 : apache2 - security update

Several vulnerabilities have been found in the Apache HTTP server. - CVE-2018-17189 Gal Goldshtein of F5 Networks discovered a denial of service vulnerability in modhttp2. By sending malformed requests, the http/2 stream for that request unnecessarily occupied a server thread cleaning up incoming...

Important: httpd

Issue Overview: In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads including scripts executed by an in-process scripting interpreter could execute arbitrary code with the privileges of the parent process usually root by manipulati...

KLA12365 Multiple vulnerabilities in Apache HTTP Server

Multiple vulnerabilities were found in Apache HTTP Server. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, obtain sensitive information, execute arbitrary code. Below is a complete list of vulnerabilities: 1. Denial of service...

Apache -- Multiple vulnerabilities

The Apache httpd Project reports: Apache HTTP Server privilege escalation from modules' scripts CVE-2019-0211 important modauthdigest access control bypass CVE-2019-0217 important modssl access control bypass CVE-2019-0215 important modhttp2, possible crash on late upgrade CVE-2019-0197 low...

Fedora Update for mod_http2 FEDORA-2019-133a8a7cb5

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Fedora 28 : mod_http2 (2019-133a8a7cb5)

This release adds the H2Padding configuration directive and has various bug fixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible withou...

[SECURITY] Fedora 29 Update: mod_http2-1.14.1-1.fc29

The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers...

Fedora 29 : mod_http2 (2019-0300c36537)

This release adds the H2Padding configuration directive and has various bug fixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible withou...

MGASA-2019-0109 Updated apache packages fix security vulnerability

By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 modhttp2 connections in Apache HTTP Server versions 2.4.37 and prior CVE-2018-17189. In Apache HTTP Serv...

SUSE SLES12 Security Update : apache2 (SUSE-SU-2019:0498-1)

This update for apache2 fixes the following issues : Security issues fixed : CVE-2018-17189: Fixed a denial of service in modhttp2, via slow and unneeded request bodies bsc1122838 CVE-2018-17199: Fixed that modsessioncookie did not respect expiry time bsc1122839 Non-security issue fixed:...

Apache 2.4.17 / 2.4.18 mod_http2 Denial of Service

According to its banner, the version of Apache running on the remote host is either 2.4.17 or 2.4.18. It is, therefore, affected by a denial of service vulnerability in the module for the HTTP/2 protocol due to thread starvation. Note that the scanner has not tested for these issues but has inste...

CVE-2018-17189

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 modhttp2 connections...