Re: [OT] Is the HTTP/2 Rapid Reset Exploit still possible on 2.4.58?

[Christopher Schultz <ch...@christopherschultz.net>]

All,

On 11/13/23 17:36, Chuck Caldarale wrote:
> You may have the wrong mailing list - this one is for Tomcat, but your query seems to be solely about Apache httpd.

Also, the httpd project has stated that they were never vulnerable to 
CVE-2023-44487.

https://github.com/icing/blog/blob/main/h2-rapid-reset.md

To be fair, this is not an "official" statement by the httpd team.

With httpd 5.4.58, you should be covered for not only CVE-2023-44487 (h2 
rapid reset, which was never really a problem) but also CVE-2023-45802 
which was exposed by testing httpd for CVE-2023-44487, but is in fact a 
separate issue, now fixed in 5.4.88.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org