oss-sec mailing list archives
CVE-2019-0196: mod_http2, read-after-free on a string compare
From: Daniel Ruggeri <druggeri () apache org>
Date: Mon, 01 Apr 2019 20:31:24 -0500
CVE-2019-0196: mod_http2, read-after-free on a string compare Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.17 to 2.4.38 Description: Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. Mitigation: All httpd users deploying mod_http2 should upgrade to 2.4.39 or later. Credit: The issue was discovered by Craig Young, <vuln-report () secur3 us>. References: https://httpd.apache.org/security/vulnerabilities_24.html
Current thread:
- CVE-2019-0196: mod_http2, read-after-free on a string compare Daniel Ruggeri (Apr 02)