You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Barry Pollard <ba...@hotmail.com> on 2018/09/25 14:26:51 UTC

Re: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

I'm confused.

Why are there no changes to mod_http2 mentioned in: http://www.apache.org/dist//httpd/CHANGES_2.4.35<http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.35> to presumably address this CVE?
Or does one of the other changes cover this? (No as far as I can see but could be wrong).
In previous changes files (e.g. <http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.34> http://www.apache.org/dist//httpd/CHANGES_2.4.34) these were listed at the top of the changes file.

Also should this not be mentioned in: https://httpd.apache.org/security/vulnerabilities_24.html?
Apologies if I've jumped the gun and this is still in progress.

I imagine CVEs are of special notice so think this should be corrected ASAP if possible.

Thanks,
Barry
________________________________
From: Daniel Ruggeri <dr...@apache.org>
Sent: 25 September 2018 15:08
To: announce@httpd.apache.org; security@httpd.apache.org; oss-security@lists.openwall.com
Subject: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames


CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.34

Description:
By sending continuous, large SETTINGS frames a client can occupy a
connection, server thread and CPU time without any connection timeout
coming to effect.
This affects only HTTP/2 connections. A possible mitigation is to
not enable the h2 protocol.

Mitigation:
All httpd users should upgrade to 2.4.35 or later.

Credit:
The issue was discovered by Gal Goldshtein of F5 Networks.

References:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhttpd.apache.org%2Fsecurity%2Fvulnerabilities_24.html&amp;data=02%7C01%7C%7Ca3d01e3540b3447d878e08d622f05406%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636734812921626527&amp;sdata=SRwgGW5AtKqX26veuxpLRACBsEZYQme5%2BYVlXcbj46k%3D&amp;reserved=0

Re: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

Posted by Julian Reschke <ju...@gmx.de>.

On 9/25/2018 4:26 PM, Barry Pollard wrote:
> I'm confused.
> 
> Why are there no changes to mod_http2 mentioned in: 
> http://www.apache.org/dist//httpd/CHANGES_2.4.35 
> <http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.35> to 
> presumably address this CVE?
> Or does one of the other changes cover this? (No as far as I can see but 
> could be wrong).
> In previous changes files (e.g. 
> <http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.34>http://www.apache.org/dist//httpd/CHANGES_2.4.34) 
> these were listed at the top of the changes file.
> 
> Also should this not be mentioned in: 
> https://httpd.apache.org/security/vulnerabilities_24.html?
> Apologies if I've jumped the gun and this is still in progress.
> ...

FWIW, it *is* mentioned in 
<https://httpd.apache.org/security/vulnerabilities_24.html>, which as a 
last modification date of September 25...

Best regards, Julian