1
Candidate: CVE-2016-8740
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740
5
http://www.openwall.com/lists/oss-security/2016/12/05/14
7
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when
8
the Protocols configuration includes h2 or h2c, does not restrict
9
request-header length, which allows remote attackers to cause a denial of
10
service (memory consumption) via crafted CONTINUATION frames in an HTTP/2
14
mdeslaur> mod_http2 is not built in Ubuntu because it is considered
15
mdeslaur> experimental.
17
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847124
18
https://bugzilla.redhat.com/show_bug.cgi?id=1401528
20
Discovered-by: Naveen Tiwari
24
upstream: https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3
25
upstream: https://svn.apache.org/viewvc?view=revision&revision=1772579 (2.4)
26
upstream_apache2: released (2.4.25-1)
27
precise_apache2: not-affected (code not present)
28
trusty_apache2: not-affected (code not present)
29
vivid/stable-phone-overlay_apache2: DNE
30
vivid/ubuntu-core_apache2: DNE
31
xenial_apache2: not-affected (no mod_http2 support)
32
yakkety_apache2: not-affected (no mod_http2 support)
33
zesty_apache2: not-affected (2.4.25-3ubuntu2)
34
devel_apache2: not-affected (2.4.25-3ubuntu2)