PublicDateAtUSN: 2018-03-26
Candidate: CVE-2018-1302
PublicDate: 2018-03-26 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1302
 http://www.openwall.com/lists/oss-security/2018/03/24/5
 https://httpd.apache.org/security/vulnerabilities_24.html
 https://ubuntu.com/security/notices/USN-3783-1
Description:
 When an HTTP/2 stream was destroyed after being handled, the Apache HTTP
 Server prior to version 2.4.30 could have written a NULL pointer
 potentially to an already freed memory. The memory pools maintained by the
 server make this vulnerability hard to trigger in usual configurations, the
 reporter and the team could not reproduce it outside debug builds, so it is
 classified as low risk.
Ubuntu-Description:
Notes:
 mdeslaur> artful and older don't enable http2 in the build.
 mdeslaur> this needs to be fixed by backporting the whole http2 module
 mdeslaur> from a more-recent apache2
Bugs:
 https://bugzilla.novell.com/show_bug.cgi?id=1086820
Priority: low
Discovered-by: Robert Swiecki
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H [5.9 MEDIUM]


Patches_apache2:
 upstream: http://svn.apache.org/viewvc?view=revision&revision=1822624 (trunk)
 upstream: http://svn.apache.org/viewvc?view=revision&revision=1823781 (2.4.x)
 upstream: https://github.com/apache/httpd/commit/1acf5c9fd27cbf166c1f3e9b20e3bcfe8e790e48 (trunk)
upstream_apache2: released (2.4.30)
precise/esm_apache2: not-affected (code not present)
trusty_apache2: not-affected (code not present)
trusty/esm_apache2: not-affected (code not present)
xenial_apache2: not-affected (code not built)
esm-infra/xenial_apache2: not-affected (code not built)
artful_apache2: not-affected (code not built)
bionic_apache2: released (2.4.29-1ubuntu4.4)
devel_apache2: released (2.4.33-3ubuntu3)