Hi All,
FYI CVE-2023-44487fixed in nghttp2 1.57.0
https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
Best regards,
Alexander Gerasimov
On 12.10.2023 18:31, wdormann (via GitHub) wrote:
wdormann commented on PR #10:
URL:https://github.com/apache/httpd-site/pull/10#issuecomment-1759858696
OK, so in testing Apache 2.4.57 (with the same nghttp2) I can no longer
reproduce the OOM condition.
I suggest rather than using `Apache HTTP Server is not impacted`, perhaps `As of
version <version>, Apache HTTP Server is not impacted`. Assuming you know when
this protection was put in place.
I'd also possibly reconsider using the `long-standing measures we have in
place` language, especially depending on which version has protections against
CVE-2023-44487.
e.g. if the protections came into play with 2.4.55 (as an example... I don't know if this is when protections were put in place), then Apache might only be protected against CVE-2023-44487 for less than a year. Which wouldn't count as long-standing by a stretch.
