You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Julian Reschke <ju...@gmx.de> on 2018/10/02 08:03:54 UTC

Re: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

On 9/25/2018 4:26 PM, Barry Pollard wrote:
> I'm confused.
> 
> Why are there no changes to mod_http2 mentioned in: 
> http://www.apache.org/dist//httpd/CHANGES_2.4.35 
> <http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.35> to 
> presumably address this CVE?
> Or does one of the other changes cover this? (No as far as I can see but 
> could be wrong).
> In previous changes files (e.g. 
> <http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.34>http://www.apache.org/dist//httpd/CHANGES_2.4.34) 
> these were listed at the top of the changes file.
> 
> Also should this not be mentioned in: 
> https://httpd.apache.org/security/vulnerabilities_24.html?
> Apologies if I've jumped the gun and this is still in progress.
> ...

FWIW, it *is* mentioned in 
<https://httpd.apache.org/security/vulnerabilities_24.html>, which as a 
last modification date of September 25...

Best regards, Julian