[users@httpd] mod_h2 protocols not working

37:tid > 34410099712] AH00094: Command line: '/usr/sbin/httpd -D SSL' > [Fri Oct 16 10:06:02.001697 2015] [http2:debug] [pid 19678:tid > 34410099712] h2_conn.c(123): h2_workers: min=3D32 max=3D64, = mthrpchild=3D32, > thr_limit=3D64 > [Fri Oct 16 10:06:02.001755 2015] [http2:debug]

Re: [users@httpd] mod_h2 protocols not working

dule (static) >>> proxy_ajp_module (static) >>> proxy_balancer_module (static) >>> proxy_express_module (static) >>> session_module (static) >>> session_cookie_module (static) >>> session_dbd_module (static) >>> s

Re: [users@httpd] Crash in http/2

This looks like a bug that was fixed shortly after the 2.4.17 release. When the client resets a HTTP/2 stream (request) before the server has started submitting a response, mod_http2 trips and this may lead to a crash later, as you observed. See

Re: [users@httpd] pcre.h missing during apache installation, should be replaced by pcre2.h ?

On OS X, you need your own pcre. I did that for my mod_h2 sandbox: https://github.com/icing/mod_h2 Hope that helps, Stefan > Am 07.10.2015 um 17:29 schrieb Doyle Jonathan : > > I am trying to install Apache2 locally on my Yosemite Mac. > I successfully installed

Re: [users@httpd] Apache and SPDY

SPDY has been superceeded by HTTP/2 as a protocol. Some browsers still support SPDY, however it will int the mid-term go away. All major browsers nowadays support HTTP/2. That should make it a safer investment. Apache httpd will support HTTP/2 in one of the next 2.4.x releases - hopefully

Re: [users@httpd] Please help with cofig httpd

; On 15 Jan 2016 4:32 pm, "Stefan Eissing" <stefan.eiss...@greenbytes.de> wrote: > Sure, please have a look: > https://www.google.de/search?q=apache+https+http+welogic=utf-8=utf-8_rd=cr=f9GYVrL-AoP0Uuawl9gO > > > Am 15.01.2016 um 11:53 schrieb Subhendu mohanty <moha

Re: [users@httpd] Please help with cofig httpd

Sure, please have a look: https://www.google.de/search?q=apache+https+http+welogic=utf-8=utf-8_rd=cr=f9GYVrL-AoP0Uuawl9gO > Am 15.01.2016 um 11:53 schrieb Subhendu mohanty : > > Can we configure Apache with https and weblogic on http > Please help with example

Re: [users@httpd] Please help with cofig httpd

; On 15 Jan 2016 4:52 pm, "Stefan Eissing" <stefan.eiss...@greenbytes.de> wrote: > Sure, 1st link on the search: > https://docs.oracle.com/middleware/1212/webtier/PLGWL/apache.htm#PLGWL395 > guides you step-by-step. > > > Am 15.01.2016 um 12:17 schrieb Subhendu mo

Re: [users@httpd] SNI SSL per domain?

common.conf: ServerName foo.tld SSLCertificateFile foo.pem Include common.con ServerName bar.tld SSLCertificateFile bar.pem Include common.con > Am 03.02.2016 um 11:45 schrieb Felipe Gasper : > > What if I have a vhost with: > > ServerName foo.tld

Re: [users@httpd] Potential HTTP/2 Bug within Apache 2.4.18

> Am 13.03.2016 um 04:18 schrieb Russel Van Tuyl : > > I'm running an Apache 2.4.18 web server (Server-A) compiled from source as a > reverse proxy. I'm using ProxyPass on Server-A to pass traffic to a proxy, > nghttpx, listening on 127.0.0.1:3000. This nghttpx proxy

Re: [users@httpd] Potential HTTP/2 Bug within Apache 2.4.18

ve it a > shot. > > On Mon, Mar 14, 2016 at 5:35 AM, Stefan Eissing > <stefan.eiss...@greenbytes.de> wrote: > > > Am 13.03.2016 um 04:18 schrieb Russel Van Tuyl <russel.vant...@gmail.com>: > > > > I'm running an Apache 2.4.18 web server (Serve

Re: [users@httpd] Potential HTTP/2 Bug within Apache 2.4.18

uld > you like me to? https://bz.apache.org/bugzilla/show_bug.cgi?id=59176 > > On Mon, Mar 14, 2016 at 7:05 AM, Stefan Eissing > <stefan.eiss...@greenbytes.de> wrote: > Russel, > > if you have a apxs installed, it's probably easiest to checkout and make the > gith

Re: [users@httpd] Apache HTTP2 and benchmarking with h2load

If you add something like LogLevel http2:debug LogLevel ssl:debug LogLevel core:debug you should find information about negotiation in your error.log. Strange that Firefox works and h2load does not. I use the later regularly in my tests. Looking forward to see some log output... >

Re: [users@httpd] Apache HTTP2 and benchmarking with h2load

The following line does not look good: [Thu Aug 25 15:19:43.851331 2016] [ssl:warn] [pid 4275] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name Can you make sure that all names do align? Maybe tweak /etc/hosts to make it match your localhost? >

Re: [users@httpd] Apache 2.4.23 and h2spec

Hi, this is a known issue with 2.4.23. It was fixed in the github version of the module since v1.5.12 and is also fixed in the Apache subversion repository (trunk and 2.4.x). Cheers, Stefan > Am 08.09.2016 um 17:39 schrieb Michael Johnson : > > Hi there, > > I am trying to

Re: [users@httpd] Apache HTTP2 and benchmarking with h2load

; autoreconf -i > automake > autoconf > ./configure > make > sudo make install > > For testing purposes I just built nghttp2 on the server (the same way I did > on the client), started h2load and here it works without falling back to > http/1.1 > > >> Am

Re: [users@httpd] Apache HTTP2 and benchmarking with h2load

g] [pid 3936] h2_session.c(655): > [client 10.0.0.4:52614] AH03068: h2_session(1): sent FRAME[GOAWAY[error=0, > reason='timeout', last_stream=15]], frames=12/7 (r/s) > [Thu Aug 25 16:38:34.262672 2016] [http2:debug] [pid 3936] h2_session.c(752): > [client 10.0.0.4:52614] AH03069: sessi

Re: [users@httpd] Odd Date in http2 header

Hmm, interesting. I left H2SerializeHeaders in just for the case someone runs into incompatibilities with the standard mod_http2 method. I almost was about to rip it our since, until now, no one reported any differences. I'd like to understand what is going on in your system and causing this

Re: [users@httpd] [ANNOUNCEMENT] Apache HTTP Server 2.4.27 Released

> Am 11.07.2017 um 16:13 schrieb David Copeland : > > I had it set up on an essentially a private site to try it so the volume was > very low, and so I never had a problem. It can work in certain configurations. Especially if you *only* serve static files. As soon

Re: [users@httpd] Mod_proxy_http2 - got a 503

Hi, do you talk http: or https: to the backend? h2://mybackend is for the SSL case, for unencrypted calls, use h2c://mybackend. Maybe that is the problem? -Stefan > Am 17.06.2017 um 15:26 schrieb Olivier Mallassi : > > Hello all > > We are trying to use the

Re: [users@httpd] Impact of CVE-2017-9789?

CVE-2017-9789 is a pure mod_http2 issue. If the protocol is not enabled, it does not trigger. (You could even load the module without exposing the server to the vulnerability) You need to upgrade at least mod_http2 to a newer version. Hope that clarifies it. Cheers, Stefan > Am 21.09.2017

Re: [users@httpd] https not working

Try "openssl s_client -debug -connect host:port" to see if your machine can contact the server at all. > Am 21.06.2018 um 10:29 schrieb Mahmood Naderan : > > > Have you enabled ssl and rewrite modules? I would verify also that there is > no firewall blocking 443. > > It seems that

Re: [users@httpd] Setup SquirreMail with Virtual Host

Have you tried something like: ServerName mail.mydomain.com DocumentRoot /usr/share/squirrelmail SSLEngine on ...squirrelmail stuff... > Am 18.01.2018 um 15:57 schrieb Rodrigo Cunha : > > Dear, i have a problem in config vhost

Re: [users@httpd] problems benchmarking php-fpm/proxy_fcgi with h2load

Can someone with deeper proxy_(fcgi) knowledge than me jump in here. This goes beyond where my area... > Am 19.01.2018 um 13:23 schrieb Hajo Locke : > > Hello, > > thanks Daniel and Stefan. This is a good point. > I did the test with a static file and this test was

Re: [users@httpd] problems benchmarking php-fpm/proxy_fcgi with h2load

Hej Hajo, do you have the same effect with less connections? e.g. > h2load -n10 -c10 -m10 https://example.com/phpinfo.php and, as Daniel just wrote, do you have similar problems when serving static files? (just to track down where to look) -Stefan > Am 19.01.2018 um 12:38 schrieb Hajo

Re: [users@httpd] Correctly configuring OCSP Stapling cache

> Am 18.01.2018 um 20:10 schrieb Johannes Bauer <dfnsonfsdu...@gmx.de>: > > Hi Stefan, > > On 18.01.2018 10:00, Stefan Eissing wrote: >> Yes, this is definitely an area where the server can and should be >> improved. Marat already provided the link to the art

Re: [users@httpd] h2load http/2 benchmarkingresults using different mpm/php configurations

Hi Hajo, on my dev machine I get for static files using mpm_event on Ubuntu 16.04 Parallels image, current 2.4.x Apache with > h2load -n10 -c100 -m10 https://test.example.org:12346/XXX with XXX being 2005 bytes: finished in 1.96s, 51060.63 req/s, 100.20MB/s 10844 bytes: finished in

Re: [users@httpd] Correctly configuring OCSP Stapling cache

Yes, this is definitely an area where the server can and should be improved. Marat already provided the link to the article discussing this last year and the situation is unchanged, unfortunately. Not for lack of recognition of the problem, but more a lack of time and effort, I think. What I do

Re: [users@httpd] symbol SSLv2_client_method

No, because I do not have it. Afraid, you need to hunt on the internet yourself. > Am 07.02.2018 um 11:05 schrieb Pietro Pesce <mistak...@gmail.com>: > > hello > > tnx for the response, you can give me the procedure? > > pls > > 2018-02-07 11:03 GMT+

Re: [users@httpd] symbol SSLv2_client_method

Your openssl is not the version that your apache was compiled against. If you updated it, you need to also re-compile any executables that link it. Note that running SSL without staying on current software versions is highly discouraged. For example, Apache does not support versions 2.0 or 2.2

Re: [users@httpd] h2load http/2 benchmarkingresults using different mpm/php configurations

Except in (mostly upstream) traffic (or downstream when having lots of cache validations succeed). In this example: HTTP/1.1 upstream: 18.33MB HTTP/2 upstream: 2.87MB (space savings 85.65%) -Stefan > Am 22.01.2018 um 15:14 schrieb Eric Covener : > > On Mon, Jan 22,

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

th: 1270 > > > > NON-SSL configuration > Listen 172.16.130.2:80 > > > > ProxyRequests On > ProxyVia On > > > > Require expr %{HTTP_HOST} =~ /^example.com:443$/ > > > > > > On Tue, Apr 10, 2018 at 9:34 AM, Stefan Eissing

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

I advice to debug this step-by-step. First the SSL connection to your Apache. Then the proxy setup. Then any restrictions with "Require...". > Am 10.04.2018 um 13:31 schrieb Rajesh Cherukuri : > > > configured HTTPS on 8080 port and here is the request sent to HTTP and

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

> Am 10.04.2018 um 10:24 schrieb Rajesh Cherukuri : > > hi > > thanks for the info , wanted to know if there is a way we can configure SSL > on a apache forword proxy so that the communication between the client > (browser) to the Proxy server is encrypted Not sure

Re: [users@httpd] Apache HTTP Server 2.4.33 (httpd) installed on CentOS7.4

Thanks, Kazuhiko. Always nice to get feedback. Cheers, Stefan > Am 28.03.2018 um 03:21 schrieb kohmoto : > > Hi, > > OS: CentOS7.4.1708 > kernel: 3.10.0-693.21.1 > > > Apache HTTP Server 2.4.33 has been installed successfully via rpmbuild on > CentOS7.4. > Thank

Re: [users@httpd] TLS 1.3

Glad you asked: I just committed r1827912 into trunk that adds support for TLSv1.3 when linking against OpenSSL v.1.1.1-pre3. This does allow TLSv1.3 clients to talk that version to the server, but it will not enable any fancy early data or such. There is more support needed in the server to

Re: [users@httpd] Next release ?

2.4.33 has been voted for release and is now being processed. Except an official announcement in the next days. *) Cheers, Stefan *) Unless disaster strikes, of course. > Am 22.03.2018 um 10:59 schrieb Martin Knoblauch : > > Hi, > > sorry for the non-technical question.

Re: [users@httpd] Openssl-1.1.1 with apache-2.4.29

The Option "TLSv1.3" in the directive SSLProtocol is available since httpd 2.4.37. Earlier versions will not recognize this and not enable it either. Cheers, Stefan > Am 21.11.2018 um 11:19 schrieb Hemant Chaudhary > : > > HI, > > I am using openssl-1.1.1 with apache-2.4.29 so that I can

Re: [users@httpd] acme-challenge folder exists but 404 contents

This sounds as if you have loaded "mod_md" and it has taken over the /.well-known/acme-challenge folder. This was a bug in that module which has been fixed in subsequent releases. If you do not use mod_md, the easiest remedy is to not load it into your server. If you want to use mod_md together

Re: [users@httpd] Error while build apache 2.4.39 using CMake on Window machine

The source file is gone. It needs to be removed from CMakeLists.txt. Sorry about the confusion. > Am 04.04.2019 um 11:34 schrieb Rathore, Rajendra : > > Hi Team, > > While building apache 2.4.39 using CMake command, I face below issue > > CMake Error at CMakeLists.txt:761 (ADD_LIBRARY): >

Re: [users@httpd] Error while build apache 2.4.39 using CMake on Window machine

ny open issue like below. > > Thanks and Regards, > Rajendra Rathore > 9922701491 > > -Original Message- > From: Stefan Eissing > Sent: 04 April 2019 03:15 PM > To: users@httpd.apache.org > Subject: Re: [users@httpd] Error while build apache 2.4.39 using CMa

Re: [users@httpd] Error while build apache 2.4.39 using CMake on Window machine

y should I need to > remove? > > Thanks and Regards, > Rajendra Rathore > 9922701491 > > -Original Message- > From: Stefan Eissing > Sent: 04 April 2019 03:10 PM > To: users@httpd.apache.org > Subject: Re: [users@httpd] Error while build apache 2.4.39 usi

Re: [users@httpd] H2Upgrade treated globally instead of locally

> Am 10.03.2019 um 10:51 schrieb rexkogit...@gmx.at: > > Hello, > > > I already posted this at Stack Exchange here: > > https://serverfault.com/questions/957276/why-is-a-directive-within-a-virtual-host-considered-global > > > For sake of persistence, I quote the essential of the question

Re: [users@httpd] RequestReadTimeout not being overridden in VirtualHost

mod_reqtimeout uses the setting of the "base" host, not necessarily the virtual host selected by SSL. The "base" host is usually the first one for the given port. So when you have virtual host A, X, C in that order in your config, try changing the setting for A. -Stefan PS. I find this not

Re: [users@httpd] Searching for Apache Test Framework or Test Harness

Hi Andrew, the overall test suite is at . For some modules, additional test suites are available. For example the ones in and . Cheers, Stefan > Am 04.06.2019 um

Re: [users@httpd] Re: Apache 2.4.39 upgrade issue

Nitin, to analyse such a problem, it is helpful to provide stack traces of the segmentation faults you are seeing. This may make clear where the problem is. See https://httpd.apache.org/dev/debugging.html for help on this. If the crash is in your mod_WSGi, you would need to contact the

Re: [users@httpd] confirming proper heders

Mark, this looks fine. If you inspect the headers that curl *send* to the server, you'll see a "Expect: 100-continue". Read this as the client saying "Server, I expect you to send me a 100 response first, then I'll send you the request body, okey?" Technical description in

Re: [users@httpd] ssl stapling error - sectigo

> Am 24.04.2019 um 16:22 schrieb Hajo Locke : > > Hello List, > > Apache is 2.4.39, System is Ubuntu 18.04 and 16.04 > > since yesterday evening we have massive mod_ssl problems with ssl stapling: > > Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094] > AH01941:

Re: [users@httpd] ssl stapling error - sectigo

5.04.2019 um 11:43 schrieb Hajo Locke: >> Hello, >> >> Am 25.04.2019 um 09:51 schrieb Stefan Eissing: >>> >>>> Am 24.04.2019 um 16:22 schrieb Hajo Locke : >>>> >>>> Hello List, >>>> >>>> Apache is 2.4.39, System

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

> Am 21.10.2019 um 22:53 schrieb Marian-Nicolae Ion : > > Hi! > > I recompiled and installed the new version... but I came back quickly to the > "standard" one: > - using "curl" I have noticed that effectively I could have TLS 1.3 only on > the desired virtual host and TLS 1.2+ on the

Re: [users@httpd] Enabling SHA1 for client certificates

n than I can provide. Stefan > Am 23.10.2019 um 17:07 schrieb Wouter Verhelst : > > Hi Stefan, > > Stefan Eissing schreef op wo 23-10-2019 om 16:33 [+0200]: >> I assume you have tried openssl standalone on such a certificate? >> >> https://stackoverflow.co

Re: [users@httpd] Enabling SHA1 for client certificates

I assume you have tried openssl standalone on such a certificate? https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify#26520714 Since, I do not know of any specific checks added for this in Apache, I assume that openssl updated its verification

Re: [users@httpd] http and https overlap in virtual host

As far as I understand, you have vhost1 *:443 siteA.com vhost2 *:443 Zsize.com If the definitions are included in this order, vhost1 is the default selection initially. Then the client host name is inspected (send via TLS as SNI). If it *matches* any other vhost, that vhost is then taken.

Re: [users@httpd] mod_md usage for OCSP stapling

Steffen described the way to do it where you get the most benefits (thanks!). However, you not need to declare "MDomain"s for all your certificates. You can also just configure MDStapling on and *all* the certificates in your Apache will be stapled by mod_md. more details: see

Re: [users@httpd] VirtualHost and SSLProtocol settings ignored.

There has been work done by Ylavic regarding this. I do not known in which release his changes made it. However, up to then, certain SSL* configs did only apply from the _first_ VirtuaLHost for a given port. Subsequent declarations in other vhosts had no effect. (This is probably all

Re: [users@httpd] VirtualHost and SSLProtocol settings ignored.

> Am 14.10.2020 um 11:29 schrieb Stefan Eissing: >> There has been work done by Ylavic regarding this. I do not known in which >> release his changes made it. >> >> However, up to then, certain SSL* configs did only apply from the _first_ >> VirtuaLHost for a giv

Re: [users@httpd] Is HPACK compression supported in Apache httpd with h2?

Hi Simon, the internal HTTP/2 handling is done using the nghttp2 library, see for details. That one does the HPACK and this is the reason you seen no special code for that in mod_http2. Cheers, Stefan > Am 27.05.2020 um 16:23 schrieb

Re: [users@httpd] mod_md: is a restart always require for auto updates?

> Am 13.07.2020 um 18:10 schrieb Tom Browder : > > I'm running Apache 2.4.43 and just added my first managed virtual host > with mod_md and all worked fine. Now I want to move all my other > virtual host to the same process but I have a few questions first: > > 1. For an auto renewal for the

Re: [users@httpd] mod_md: is a restart always require for auto updates?

> Am 14.07.2020 um 16:48 schrieb Tom Browder : > > On Tue, Jul 14, 2020 at 02:01 Stefan Eissing > wrote: > > 1. For an auto renewal for the current managed domain, will I have to > > manually restart each time? > Clarification: only a reload (graceful) is necessary

Re: [users@httpd] Let's Encrypt (LE) and port 80

There is a module called "mod_md" which gets and renews certificates from LE. It's part of 2.4.43. https://httpd.apache.org/docs/2.4/mod/mod_md.html https://github.com/icing/mod_md You do not need to have port 80 open to use it. It also works with port 443 alone. Cheers, Stefan > Am

Re: [users@httpd] Questions to SSLciphersuite

If I use > openssl s_client -connect nc-mcd.helmholtz-muenchen.de:443 I get a connection using TLSv1.2. So far, so good. If your client cannot connect, maybe it is old and wants to talk SSLv3 which is no longer supported? Your settings look fine otherwise, afaict. - Stefan > Am 27.11.2020

Re: [users@httpd] Disable HTTP2 connection coalescing for different virtual hosts/domains

ou can always use "curl" to get an honest opinion and with "-v" also some good output of what actually happens on the client side. Best regards, Stefan > -Yves > > > ---- Ursprüngliche Nachricht > Von: Stefan Eissing > Gesendet: Dienstag, 15. D

Re: [users@httpd] Disable HTTP2 connection coalescing for different virtual hosts/domains

Hi Yves, there is no "intentional" misdirecting by the spec or the server. Let's sort out where the problem lies and how to fix it. 1. You are correct that the browser will see your wildcard cert, see that it applies to another host and use the already open connection to make the request. 2.

Re: [users@httpd] Disable HTTP2 connection coalescing for different virtual hosts/domains

ed and the responses from your proxied apps in detail. Regards, Stefan > > -Yves > > > ---- Ursprüngliche Nachricht > Von: Stefan Eissing > Gesendet: Donnerstag, 17. Dezember 2020, 14:41 MEZ > Betreff: [users@httpd] Disable HTTP2 connection coalescing for di

Re: [users@httpd] 404 error

> Am 08.06.2021 um 15:20 schrieb Beard, Shawn : > > We have put Apache behind a Netscaler load balancer. We have the VIP set up > with ssl and it is terminating SSL at the netscaler. The backend webserver is > not SSL. When we go to the https vanity url, we get a 404 error. But when I > go

Re: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1 anymore

Hildegard, I believe this is the result of a deliberate change in the OpenSSL API when going to version 1.1.0. In earlier versions of OpenSSL one could switch on/off individual protocols, whereas now one specifies a minimum and maximum TLS version to use. In Apache, the configuration handling

Re: [users@httpd] mod_md and DNS challenge

> Am 10.03.2021 um 14:21 schrieb Clausen, Jörn : > > Hi! > > Please let me know if there is a more specific list/forum where I can ask > this question. > > I am trying to use mod_md with challenge type "DNS". I have > > MDCAChallenges dns-01 > MDChallengeDns01 /data/acme/mod_md_worker.sh >

Re: [users@httpd] mod_md and DNS challenge

> Am 11.03.2021 um 09:41 schrieb Clausen, Jörn : > >"detail": "Starting challenges for domains" >"detail": "Setting up challenge 'dns-01' for domain foo" >"detail": "Setting up challenge 'dns-01' for domain bar" >"detail": "Monitoring challenge status for foo" >

[users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

Severity: critical Description: It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories

[users@httpd] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

Severity: important Description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require

[users@httpd] CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing

Severity: moderate Description: While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49.

[users@httpd] CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0

Severity: low Affected versions: - Apache HTTP Server 2.4.55 through 2.4.57 Description: An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker

[users@httpd] CVE-2023-31122: Apache HTTP Server: mod_macro buffer over-read

Severity: low Affected versions: - Apache HTTP Server through 2.4.57 Description: Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. Credit: David Shoon (github/davidshoon) (finder) References:

[users@httpd] CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

Severity: moderate Affected versions: - Apache HTTP Server 2.4.17 through 2.4.57 Description: When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to