ALT-BU-2021-3962-1
Branch sisyphus update bulletin.
Closed vulnerabilities
BDU:2021-03952
Уязвимость реализации протокола HTTP/2 модуля mod_http2 веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-31618
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.
- http://httpd.apache.org/security/vulnerabilities_24.html
- http://httpd.apache.org/security/vulnerabilities_24.html
- [oss-security] 20210609 CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request
- [oss-security] 20210609 CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request
- [oss-security] 20240313 Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request
- [oss-security] 20240313 Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request
- [httpd-cvs] 20210615 svn commit: r1890801 - /httpd/site/trunk/content/security/json/CVE-2021-31618.json
- [httpd-cvs] 20210615 svn commit: r1890801 - /httpd/site/trunk/content/security/json/CVE-2021-31618.json
- [httpd-cvs] 20210615 svn commit: r1075782 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_24.html
- [httpd-cvs] 20210615 svn commit: r1075782 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_24.html
- [debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update
- [debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update
- FEDORA-2021-051639aad4
- FEDORA-2021-051639aad4
- FEDORA-2021-181f29c392
- FEDORA-2021-181f29c392
- https://seclists.org/oss-sec/2021/q2/206
- https://seclists.org/oss-sec/2021/q2/206
- GLSA-202107-38
- GLSA-202107-38
- https://security.netapp.com/advisory/ntap-20210727-0008/
- https://security.netapp.com/advisory/ntap-20210727-0008/
- DSA-4937
- DSA-4937
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Package make-initrd updated to version 2.18.0-alt1 for branch sisyphus in task 274072.
Closed bugs
Не добавляется каталог с темой в initrd