PublicDateAtUSN: 2019-01-30
Candidate: CVE-2018-17189
PublicDate: 2019-01-30 22:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189
 https://www.openwall.com/lists/oss-security/2019/01/22/2
 https://ubuntu.com/security/notices/USN-3937-1
Description:
 In Apache HTTP server versions 2.4.37 and prior, by sending request bodies
 in a slow loris way to plain resources, the h2 stream for that request
 unnecessarily occupied a server thread cleaning up that incoming data. This
 affects only HTTP/2 (mod_http2) connections.
Ubuntu-Description:
Notes:
 leosilva> issue was introduced in 2.4.17
 mdeslaur> http2 is disabled in xenial
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920302
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L [5.3 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L [5.3 MEDIUM]


Patches_apache2:
 upstream: https://github.com/apache/httpd/commit/bea40bf64ce390476dc05c48a8699e76a96320a2
upstream_apache2: released (2.4.38-1)
precise/esm_apache2: not-affected (code not present)
trusty_apache2: not-affected (code not present)
trusty/esm_apache2: not-affected (code not present)
xenial_apache2: not-affected (code not built)
esm-infra/xenial_apache2: not-affected (code not built)
bionic_apache2: released (2.4.29-1ubuntu4.6)
cosmic_apache2: released (2.4.34-1ubuntu2.1)
devel_apache2: not-affected (2.4.38-2ubuntu1)