[3.5] apache2: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)ID: oval:org.secpod.oval:def:1801219 | Date: (C)2018-10-30 (M)2024-01-29 |
Class: PATCH | Family: unix |
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. Fixed in Version:¶ Apache 2.4.35
Platform: |
Alpine Linux 3.5 |