CVE-2019-10081

Priority
Description
HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured
with "H2PushResource", could lead to an overwrite of memory in the pushing
request's pool, leading to crashes. The memory copied is that of the
configured push link header values, not data supplied by the client.
Mitigation
Unpatched servers can disable HTTP/2 push with the "H2Push off" directive.
Notes
sbeattieapache 2.4.20 and newer
apache 2.4.18 does not build mod_http2.
Package
Upstream:released (2.4.41-1)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not built)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.29-1ubuntu4.10)
Ubuntu 19.10 (Eoan Ermine):not-affected (2.4.41-1ubuntu1)
More Information

Updated: 2020-01-29 20:04:16 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)