CVE-2019-10081

Priority
Description
HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured
with "H2PushResource", could lead to an overwrite of memory in the pushing
request's pool, leading to crashes. The memory copied is that of the
configured push link header values, not data supplied by the client.
Mitigation
Unpatched servers can disable HTTP/2 push with the "H2Push off" directive.
Notes
sbeattieapache 2.4.20 and newer
apache 2.4.18 does not build mod_http2.
Package
Upstream:released (2.4.41-1)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not built)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.29-1ubuntu4.10)
More Information

Updated: 2020-07-28 20:05:55 UTC (commit d26b6ca9f5b3adb89bb036ce73ae7dab894935ec)