CVE-2018-17189 (retired)

Priority
Description
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies
in a slow loris way to plain resources, the h2 stream for that request
unnecessarily occupied a server thread cleaning up that incoming data. This
affects only HTTP/2 (mod_http2) connections.
Notes
 leosilva> issue was introduced in 2.4.17
 mdeslaur> http2 is disabled in xenial
Assigned-to
mdeslaur
Package
Upstream:released (2.4.38-1)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not built)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.29-1ubuntu4.6)
Ubuntu 18.10 (Cosmic Cuttlefish):released (2.4.34-1ubuntu2.1)
Ubuntu 19.04 (Disco Dingo):not-affected (2.4.38-2ubuntu1)
Patches:
Upstream:https://github.com/apache/httpd/commit/bea40bf64ce390476dc05c48a8699e76a96320a2
More Information

Updated: 2019-04-04 16:14:51 UTC (commit 6610cd25003eb54c63da78ebb64fe7ebcc1dfe45)