PublicDateAtUSN: 2020-08-07 16:15:00 UTC
Candidate: CVE-2020-11993
PublicDate: 2020-08-07 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11993
 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993
 https://www.openwall.com/lists/oss-security/2020/08/07/3
 https://ubuntu.com/security/notices/USN-4458-1
Description:
 Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled
 for the HTTP/2 module and on certain traffic edge patterns, logging
 statements were made on the wrong connection, causing concurrent use of
 memory pools. Configuring the LogLevel of mod_http2 above "info" will
 mitigate this vulnerability for unpatched servers.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Felix Wilhelm
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_apache2:
 upstream: https://svn.apache.org/r1879642
 upstream: https://github.com/apache/httpd/commit/63a0a87efa0925514d15c211b508f6594669888c
upstream_apache2: released (2.4.44)
precise/esm_apache2: not-affected (code not present)
trusty_apache2: ignored (out of standard support)
trusty/esm_apache2: not-affected (code not present)
xenial_apache2: not-affected (code not present)
esm-infra/xenial_apache2: not-affected (code not present)
bionic_apache2: released (2.4.29-1ubuntu4.14)
focal_apache2: released (2.4.41-4ubuntu3.1)
devel_apache2: released (2.4.46-1ubuntu1)