I can confirm that the package that you provided fixes the issue for me. Thank you very much for the quick help!
Your intuition seems to better than mine, because I have to admit that it took me a while how the commit that you linked fixes the issue and how it was previously introduced by the security fix. For those readers who are interested and do not want to read all the relevant sections of the source code themselves, here is the explanation: The patch for CVE-2024-38477 introduced a check that verifies that the URI contains a hostname. As long as this check was missing, a dormant bug in proxy_http2_handler that in case of a retry caused ap_proxy_determine_connection to be called for a URL that had already been processed by this function, did not cause any immediate problems (I guess the URL got somewhat mangled, but this did not matter because the affected parts of were not used after that). With the introduction of the check of the hostname, this bug suddenly became visible. As this bug was in mod_proxy_http2, proxy connections to HTTP/1 servers were not affected, which lead to this funny effect that HTTP/2 connections occassionally failed while HTTP/1 connections were unaffected, even though the security patch itself did not make any changes to the HTTP/2 logic. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38477 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072648 Title: Regression in Apache 2.4.52-1ubuntu4.10 causes intermittent errors in mod_proxy_http2 backend To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2072648/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
