ArchLinux: 201807-12: apache: denial of service
Summary
- CVE-2018-1333 (denial of service)
By specially crafting HTTP/2 requests, workers would be allocated 60
seconds longer than necessary, leading to worker exhaustion and a
denial of service.
- CVE-2018-8011 (denial of service)
By specially crafting HTTP requests, the mod_md challenge handler would
dereference a NULL pointer and cause the child process to segfault.
This could be used to DoS the server.
Resolution
Upgrade to 2.4.34-1.
# pacman -Syu "apache>=2.4.34-1"
The problems have been fixed upstream in version 2.4.34.
References
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-1333 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011 https://security.archlinux.org/CVE-2018-1333 https://security.archlinux.org/CVE-2018-8011
Workaround
None.