CVE-2020-9490

Priority
Description
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for
the 'Cache-Digest' header in a HTTP/2 request would result in a crash when
the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring
the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for
unpatched servers.
Assigned-to
mdeslaur
Notes
Package
Upstream:released (2.4.44)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.29-1ubuntu4.14)
Ubuntu 20.04 LTS (Focal Fossa):released (2.4.41-4ubuntu3.1)
Ubuntu 20.10 (Groovy Gorilla):released (2.4.46-1ubuntu1)
Patches:
Upstream:https://svn.apache.org/r1880396
Upstream:https://github.com/apache/httpd/commit/a61223e9cb906110f35ec144b93fee9eb80ad6e4
More Information

Updated: 2020-09-10 06:38:17 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)