Bug 980370 - (CVE-2016-1546) VUL-0: CVE-2016-1546: apache2: mod_http2 denial-of-service by thread starvation
(CVE-2016-1546)
VUL-0: CVE-2016-1546: apache2: mod_http2 denial-of-service by thread starvation
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/169133/
CVSSv2:RedHat:CVE-2016-1546:4.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-17 14:57 UTC by Alexander Bergmann
Modified: 2016-05-20 09:37 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-05-17 14:57:58 UTC
rh#1336350

A vulnerability was found in httpd. By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18.

External references:

http://httpd.apache.org/security/vulnerabilities_24.html

Upstream commit:

http://svn.apache.org/viewvc?view=revision&revision=1733727

Backported to 2.4.x branch via:

http://svn.apache.org/viewvc?view=revision&revision=1734413

Included in 2.4.19, which was not released.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1336350
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1546
Comment 1 Swamp Workflow Management 2016-05-17 22:01:21 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-05-18 06:47:38 UTC
In Tubleweed it is fixed with 2.4.20 already.
Comment 4 Petr Gajdos 2016-05-18 13:33:06 UTC
Package submitted into 12sp2.
Comment 5 Marcus Meissner 2016-05-20 09:37:18 UTC
done