You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa mod_http2

Sigurnosni nedostaci programskog paketa mod_http2

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2018-0a95bff197
2018-04-05 23:56:01.161334
——————————————————————————–

Name : mod_http2
Product : Fedora 27
Version : 1.10.16
Release : 1.fc27
URL : https://icing.github.io/mod_h2/
Summary : module implementing HTTP/2 for Apache 2
Description :
The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on
top of libnghttp2 for httpd 2.4 servers.

——————————————————————————–
Update Information:

This update includes the latest upstream release of mod_http2, version 1.10.16.
This includes a security fix (CVE-2018-1302): When an HTTP/2 stream was
destroyed after being handled, mod_http2 could have written a NULL pointer
potentially to an already freed memory. The memory pools maintained by the
server make this vulnerabilty hard to trigger in usual configurations, the
reporter and the team could not reproduce it outside debug builds, so it is
classified as low risk.
——————————————————————————–
References:

[ 1 ] Bug #1561570 – CVE-2018-1302 mod_http2: httpd: Use-after-free on HTTP/2 stream shutdown [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1561570
[ 2 ] Bug #1560627 – CVE-2018-1302 httpd: Use-after-free on HTTP/2 stream shutdown [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1560627
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade mod_http2’ at the command line.
For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

AutorPetar Bertok
Cert idNCERT-REF-2018-04-0001-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
IzvorAdobe
Top
More in Preporuke
Sigurnosni nedostaci programskog paketa httpd

Otkriveni su sigurnosni nedostaci u programskom paketu httpd za operacijski sustav Fedora. Otkriveni nedostaci potencijalnim udaljenim napadačima omogućuju zaobilaženje sigurnosnih...

Close