CLD-566 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
apache |
Deficiency Type |
SECURITY |
Date Created |
2018-09-25 22:18:35 |
Date Last Modified |
2018-09-28 12:21:04 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in apache-2.4.35-i686-1 |
Cucumber 1.0 x86_64 | fixed in apache-2.4.35-x86_64-1 |
Cucumber 1.1 i686 |
fixed in apache-2.4.35-i686-1 |
Cucumber 1.1 x86_64 |
fixed in apache-2.4.35-x86_64-1 |
Details:
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS
frames a client can occupy a connection, server thread and CPU time without any
connection timeout coming to effect. This affects only HTTP/2 connections. A
possible mitigation is to not enable the h2 protocol.
This has been fixed in Apache httpd 2.4.35 (see
https://httpd.apache.org/security/vulnerabilities_24.html).