Bug 980370 (CVE-2016-1546)

Summary: VUL-0: CVE-2016-1546: apache2: mod_http2 denial-of-service by thread starvation
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/169133/
Whiteboard: CVSSv2:RedHat:CVE-2016-1546:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2016-05-17 14:57:58 UTC 
rh#1336350

A vulnerability was found in httpd. By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18.

External references:

http://httpd.apache.org/security/vulnerabilities_24.html

Upstream commit:

http://svn.apache.org/viewvc?view=revision&revision=1733727

Backported to 2.4.x branch via:

http://svn.apache.org/viewvc?view=revision&revision=1734413

Included in 2.4.19, which was not released.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1336350
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1546
Comment 1 Swamp Workflow Management 2016-05-17 22:01:21 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-05-18 06:47:38 UTC 
In Tubleweed it is fixed with 2.4.20 already.
Comment 4 Petr Gajdos 2016-05-18 13:33:06 UTC 
Package submitted into 12sp2.
Comment 5 Marcus Meissner 2016-05-20 09:37:18 UTC 
done