Apache HTTP server - (bulletinjan2019)ID: oval:org.secpod.oval:def:2103616 | Date: (C)2019-11-24 (M)2024-01-29 |
Class: PATCH | Family: unix |
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
Product: |
web/server/apache-24 |
web/server/apache-24/module/apache-wsgi |
web/server/apache-24/module/apache-wsgi-35 |
web/server/apache-24/module/apache-wsgi-34 |
web/server/apache-24/module/apache-wsgi-27 |
web/server/apache-24/module/apache-ssl |
web/server/apache-24/module/apache-ssl-fips-140 |
web/server/apache-24/module/apache-security |
web/server/apache-24/module/apache-perl |
web/server/apache-24/module/apache-lua |
web/server/apache-24/module/apache-ldap |
web/server/apache-24/module/apache-jk |
web/server/apache-24/module/apache-gss |
web/server/apache-24/module/apache-fcgid |
web/server/apache-24/module/apache-dtrace |
web/server/apache-24/module/apache-dbd |