[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

On 9/25/2018 4:26 PM, Barry Pollard wrote:
I'm confused.

Why are there no changes to mod_http2 mentioned in: http://www.apache.org/dist//httpd/CHANGES_2.4.35 <http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.35> to presumably address this CVE? Or does one of the other changes cover this? (No as far as I can see but could be wrong). In previous changes files (e.g. <http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.34>http://www.apache.org/dist//httpd/CHANGES_2.4.34) these were listed at the top of the changes file.

Also should this not be mentioned in: https://httpd.apache.org/security/vulnerabilities_24.html?
Apologies if I've jumped the gun and this is still in progress.

FWIW, it *is* mentioned in <https://httpd.apache.org/security/vulnerabilities_24.html>, which as a last modification date of September 25...

Best regards, Julian