Your submission was sent successfully! Close

CVE-2018-11763

Published: 25 September 2018

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Priority

CVSS 3 base score: 5.9

Status

Package	Release	Status
apache2 Launchpad, Ubuntu, Debian	bionic	Released (2.4.29-1ubuntu4.4)
	precise	Not vulnerable (code not present)
	trusty	Not vulnerable (code not present)
	upstream	Released (2.4.35)
	xenial	Not vulnerable (code not built)

Notes

Author	Note
mdeslaur	artful and older don't enable http2 in the build. see CVE-2018-1302 for a whole http2 backport requirement

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909591

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading