CVE-2018-1302

Priority
Description
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP
Server prior to version 2.4.30 could have written a NULL pointer
potentially to an already freed memory. The memory pools maintained by the
server make this vulnerability hard to trigger in usual configurations, the
reporter and the team could not reproduce it outside debug builds, so it is
classified as low risk.
Assigned-to
mdeslaur
Notes
mdeslaurartful and older don't enable http2 in the build.
this needs to be fixed by backporting the whole http2 module
from a more-recent apache2
Package
Upstream:released (2.4.30)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not built)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.29-1ubuntu4.4)
Patches:
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1822624 (trunk)
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1823781 (2.4.x)
Upstream:https://github.com/apache/httpd/commit/1acf5c9fd27cbf166c1f3e9b20e3bcfe8e790e48 (trunk)
More Information

Updated: 2020-01-29 20:01:53 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)