CLD-566 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-11763 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) apache
Deficiency Type SECURITY
Date Created 2018-09-25 22:18:35
Date Last Modified 2018-09-28 12:21:04

Version Specific Information:

Cucumber 1.0 i686 fixed in apache-2.4.35-i686-1
Cucumber 1.0 x86_64 fixed in apache-2.4.35-x86_64-1

Cucumber 1.1 i686 fixed in apache-2.4.35-i686-1
Cucumber 1.1 x86_64 fixed in apache-2.4.35-x86_64-1

Details:

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS
frames a client can occupy a connection, server thread and CPU time without any
connection timeout coming to effect. This affects only HTTP/2 connections. A
possible mitigation is to not enable the h2 protocol. 

This has been fixed in Apache httpd 2.4.35 (see
https://httpd.apache.org/security/vulnerabilities_24.html).