[3.8] apache2: Multiple vulnerabilities (CVE-2018-1333, CVE-2018-8011)
CVE-2018-1333: DoS for HTTP/2 connections by crafted requests
By specially crafting HTTP/2 requests, workers would be allocated 60
seconds longer than necessary,
leading to worker exhaustion and a denial of service.
Fixed In Version:
Apache HTTP Server 2.4.34
References:
https://httpd.apache.org/security/vulnerabilities\_24.html\#CVE-2018-1333
http://www.openwall.com/lists/oss-security/2018/07/18/1
CVE-2018-8011: mod_md, DoS via Coredumps on specially crafted requests
By specially crafting HTTP requests, the mod_md challenge handler would
dereference a NULL pointer
and cause the child process to segfault. This could be used to DoS the
server.
Fixed In Version:
Apache HTTP Server 2.4.34
Reference:
https://httpd.apache.org/security/vulnerabilities\_24.html\#CVE-2018-8011
http://www.openwall.com/lists/oss-security/2018/07/18/2
(from redmine: issue id 9264, created on 2018-08-17, closed on 2018-08-20)
- Relations:
- copied_to #9263 (closed)
- parent #9263 (closed)
- Changesets:
- Revision d0eedffb by Andy Postnikov on 2018-08-20T10:35:41Z:
main/apache2: security upgrade to 2.4.34
fixes #9264