USN-3783-1: Apache HTTP Server vulnerabilities

Releases

• Ubuntu 18.04 ESM

Packages

• apache2 - Apache HTTP server

Details

Robert Swiecki discovered that the Apache HTTP Server HTTP/2 module
incorrectly destroyed certain streams. A remote attacker could possibly
use this issue to cause the server to crash, leading to a denial of
service. (CVE-2018-1302)

Craig Young discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled certain requests. A remote attacker could possibly
use this issue to cause the server to consume resources, leading to a
denial of service. (CVE-2018-1333)

Gal Goldshtein discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled large SETTINGS frames. A remote attacker could possibly
use this issue to cause the server to consume resources, leading to a
denial of service. (CVE-2018-11763)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04

• apache2-bin - 2.4.29-1ubuntu4.4

In general, a standard system update will make all the necessary changes.

References

• CVE-2018-11763
• CVE-2018-1302
• CVE-2018-1333