Hi,
the necessary updates are not to be found in bodhi, i assume someone
missed the info:
https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html
/CVE-2026-23918 is a double-free in Apache httpd 2.4.66 mod_http2
<https://httpd.apache.org/docs/current/mod/mod_http2.html>, specifically
in the stream cleanup path of h2_mplx.c. The bug triggers when a client
sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a
non-zero error code on the same stream, before the multiplexer has
registered the stream.... /whereas the RCE path requires an Apache
Portable Runtime (APR <https://apr.apache.org/>) with the mmap
allocator, which is the default on Debian-derived systems and on the
official httpd Docker image. ...
/The first is denial-of-service, which is trivial: one TCP connection,
two frames, no authentication, no special headers, no specific URL, and
the worker crashes. Apache respawns it, but every request on the crashed
worker is dropped, and the pattern can be sustained as long as the
attacker keeps sending./
Can someone pls init the updates for all releases, thanks.
Best regards,
Marius Schwarz
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new
