Bug 980370 (CVE-2016-1546)

Summary: VUL-0: CVE-2016-1546: apache2: mod_http2 denial-of-service by thread starvation
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/169133/
Whiteboard: CVSSv2:RedHat:CVE-2016-1546:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2016-05-17 14:57:58 UTC

A vulnerability was found in httpd. By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18.

External references:


Upstream commit:


Backported to 2.4.x branch via:


Included in 2.4.19, which was not released.

Comment 1 Swamp Workflow Management 2016-05-17 22:01:21 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-05-18 06:47:38 UTC
In Tubleweed it is fixed with 2.4.20 already.
Comment 4 Petr Gajdos 2016-05-18 13:33:06 UTC
Package submitted into 12sp2.
Comment 5 Marcus Meissner 2016-05-20 09:37:18 UTC