I'm confused. Why are there no changes to mod_http2 mentioned in: http://www.apache.org/dist//httpd/CHANGES_2.4.35<http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.35> to presumably address this CVE? Or does one of the other changes cover this? (No as far as I can see but could be wrong). In previous changes files (e.g. <http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.34> http://www.apache.org/dist//httpd/CHANGES_2.4.34) these were listed at the top of the changes file.
Also should this not be mentioned in: https://httpd.apache.org/security/vulnerabilities_24.html? Apologies if I've jumped the gun and this is still in progress. I imagine CVEs are of special notice so think this should be corrected ASAP if possible. Thanks, Barry ________________________________ From: Daniel Ruggeri <drugg...@apache.org> Sent: 25 September 2018 15:08 To: annou...@httpd.apache.org; secur...@httpd.apache.org; oss-secur...@lists.openwall.com Subject: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.17 to 2.4.34 Description: By sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. Mitigation: All httpd users should upgrade to 2.4.35 or later. Credit: The issue was discovered by Gal Goldshtein of F5 Networks. References: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhttpd.apache.org%2Fsecurity%2Fvulnerabilities_24.html&data=02%7C01%7C%7Ca3d01e3540b3447d878e08d622f05406%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636734812921626527&sdata=SRwgGW5AtKqX26veuxpLRACBsEZYQme5%2BYVlXcbj46k%3D&reserved=0