oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2019-0196: mod_http2, read-after-free on a string compare

From: Daniel Ruggeri <druggeri () apache org>
Date: Mon, 01 Apr 2019 20:31:24 -0500

CVE-2019-0196: mod_http2, read-after-free on a string compare

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.38

Description:
Using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly.
    
Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.39 or later.

Credit:
The issue was discovered by Craig Young, <vuln-report () secur3 us>.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
Previous By Date Next
Previous By Thread Next

Current thread: