CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers.
Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.20 to 2.4.39 Description: A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections. Mitigation: All httpd users deploying mod_http2 should upgrade to 2.4.40 or later. Unpatched servers can disable HTTP/2 protocol. Credit: The issue was discovered by Jonathan Looney of Netflix. References: https://httpd.apache.org/security/vulnerabilities_24.html