CVE-2018-17189

Priority
Description
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies
in a slow loris way to plain resources, the h2 stream for that request
unnecessarily occupied a server thread cleaning up that incoming data. This
affects only HTTP/2 (mod_http2) connections.
Assigned-to
mdeslaur
Notes
leosilvaissue was introduced in 2.4.17
mdeslaurhttp2 is disabled in xenial
Package
Upstream:released (2.4.38-1)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not built)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.29-1ubuntu4.6)
Patches:
Upstream:https://github.com/apache/httpd/commit/bea40bf64ce390476dc05c48a8699e76a96320a2
More Information

Updated: 2020-07-28 20:04:21 UTC (commit d26b6ca9f5b3adb89bb036ce73ae7dab894935ec)