PublicDateAtUSN: 2019-08-15
Candidate: CVE-2019-10081
PublicDate: 2019-08-15 22:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10081
 https://www.openwall.com/lists/oss-security/2019/08/15/2
 https://ubuntu.com/security/notices/USN-4113-1
Description:
 HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured
 with "H2PushResource", could lead to an overwrite of memory in the pushing
 request's pool, leading to crashes. The memory copied is that of the
 configured push link header values, not data supplied by the client.
Ubuntu-Description: 
Notes: 
 sbeattie> apache 2.4.20 and newer
 sbeattie> apache 2.4.18 does not build mod_http2.
Mitigation:
 Unpatched servers can disable HTTP/2 push with the "H2Push off" directive.
Bugs: 
Priority: medium
Discovered-by: Craig Young
Assigned-to: 
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_apache2:
upstream_apache2: released (2.4.41-1)
precise/esm_apache2: not-affected (code not present)
trusty_apache2: ignored (out of standard support)
trusty/esm_apache2: not-affected (code not present)
xenial_apache2: not-affected (code not built)
esm-infra/xenial_apache2: not-affected (code not built)
bionic_apache2: released (2.4.29-1ubuntu4.10)
disco_apache2: released (2.4.38-2ubuntu2.2)
devel_apache2: not-affected (2.4.41-1ubuntu1)