PublicDateAtUSN: 2020-08-07 16:15:00 UTC
Candidate: CVE-2020-9490
PublicDate: 2020-08-07 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490
 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490
 https://www.openwall.com/lists/oss-security/2020/08/07/4
 https://ubuntu.com/security/notices/USN-4458-1
Description:
 Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for
 the 'Cache-Digest' header in a HTTP/2 request would result in a crash when
 the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring
 the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for
 unpatched servers.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Felix Wilhelm
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_apache2:
 upstream: https://svn.apache.org/r1880396
 upstream: https://github.com/apache/httpd/commit/a61223e9cb906110f35ec144b93fee9eb80ad6e4
upstream_apache2: released (2.4.44)
precise/esm_apache2: not-affected (code not present)
trusty_apache2: ignored (out of standard support)
trusty/esm_apache2: not-affected (code not present)
xenial_apache2: not-affected (code not present)
esm-infra/xenial_apache2: not-affected (code not present)
bionic_apache2: released (2.4.29-1ubuntu4.14)
focal_apache2: released (2.4.41-4ubuntu3.1)
devel_apache2: released (2.4.46-1ubuntu1)