CVE-2018-1302

Priority
Description
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP
Server prior to version 2.4.30 could have written a NULL pointer
potentially to an already freed memory. The memory pools maintained by the
server make this vulnerability hard to trigger in usual configurations, the
reporter and the team could not reproduce it outside debug builds, so it is
classified as low risk.
Notes
 mdeslaur> artful and older don't enable http2 in the build.
 mdeslaur> this needs to be fixed by backporting the whole http2 module
 mdeslaur> from a more-recent apache2
Assigned-to
mdeslaur
Package
Upstream:released (2.4.30)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not built)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.29-1ubuntu4.4)
Ubuntu 18.10 (Cosmic Cuttlefish):released (2.4.33-3ubuntu3)
Patches:
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1822624 (trunk)
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1823781 (2.4.x)
Upstream:https://github.com/apache/httpd/commit/1acf5c9fd27cbf166c1f3e9b20e3bcfe8e790e48 (trunk)
More Information

Updated: 2019-01-14 22:31:21 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)