CVE-2018-1302 (retired)

Priority
Description
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP
Server prior to version 2.4.30 could have written a NULL pointer
potentially to an already freed memory. The memory pools maintained by the
server make this vulnerability hard to trigger in usual configurations, the
reporter and the team could not reproduce it outside debug builds, so it is
classified as low risk.
Notes
 mdeslaur> artful and older don't enable http2 in the build.
 mdeslaur> this needs to be fixed by backporting the whole http2 module
 mdeslaur> from a more-recent apache2
Assigned-to
mdeslaur
Package
Upstream:released (2.4.30)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not built)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.29-1ubuntu4.4)
Ubuntu 18.10 (Cosmic Cuttlefish):released (2.4.33-3ubuntu3)
Patches:
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1822624 (trunk)
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1823781 (2.4.x)
Upstream:https://github.com/apache/httpd/commit/1acf5c9fd27cbf166c1f3e9b20e3bcfe8e790e48 (trunk)
More Information

Updated: 2019-03-26 12:27:02 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)