CVE-2017-9789 is a pure mod_http2 issue. If the protocol is not enabled, it
does not trigger. (You could even load the module without exposing the server
to the vulnerability)
You need to upgrade at least mod_http2 to a newer version.
Hope that clarifies it.
Cheers,
Stefan
> Am 21.09.2017
Hey all,
Under FreeBSD, mod_http2 is not compiled by the ports tree by default.
Are we still vulnerable to this?
Is there any mitigation strategy besides upgrading? (Disabling htaccess
parsing, for example?)
-Dan
--
-
