Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2018-11763

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Related bugs and status

CVE-2018-11763 (Candidate) is related to these bugs:

Bug #1840188: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco

Summary				In	Importance	Status
	1840188	Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco		apache2 (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://httpd.apache.o...
SECTRACK: 1041713
BID: 105414
UBUNTU: USN-3783-1
REDHAT: RHSA-2018:3558
CONFIRM: https://www.oracle.com...
CONFIRM: https://security.netap...
CONFIRM: https://support.hpe.co...
MISC: https://www.oracle.com...
REDHAT: RHSA-2019:0366
REDHAT: RHSA-2019:0367
SUSE: openSUSE-SU-2019:1547
SUSE: openSUSE-SU-2019:1814
MLIST: [httpd-cvs] 20190815 s...
MLIST: [httpd-cvs] 20190815 s...
CONFIRM: https://www.tenable.co...
MLIST: [httpd-cvs] 20200401 s...
MLIST: [httpd-cvs] 20200401 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210606 s...