CVE-2019-9517 (retired)

Priority
Description
Some HTTP/2 implementations are vulnerable to unconstrained interal data
buffering, potentially leading to a denial of service. The attacker opens
the HTTP/2 window so the peer can send without constraint; however, they
leave the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a large
response object. Depending on how the servers queue the responses, this can
consume excess memory, CPU, or both.
Mitigation
Disable http2 support
Notes
sbeattieapache2 2.4.18 in xenial does not build mod_http2
Package
Upstream:released (2.4.41-1)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (http2 support not implemented)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not built)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.29-1ubuntu4.10)
Ubuntu 19.04 (Disco Dingo):released (2.4.38-2ubuntu2.2)
Ubuntu 19.10 (Eoan):not-affected (2.4.41-1ubuntu1)
More Information

Updated: 2019-10-09 08:05:46 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)