First Last Prev Next    This bug is not in your last search results.
Bug 1048575 - (CVE-2017-9789) VUL-0: CVE-2017-9789: apache2: httpd: Read after free in mod_http2
(CVE-2017-9789)
VUL-0: CVE-2017-9789: apache2: httpd: Read after free in mod_http2
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Petr Gajdos
Security Team bot
https://smash.suse.de/issue/188451/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-13 15:46 UTC by Marcus Meissner
Modified: 2018-01-31 07:44 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-07-13 15:46:28 UTC 
http://seclists.org/oss-sec/2017/q3/126

From: William A Rowe Jr <wrowe () apache org>
Date: Thu, 13 Jul 2017 07:58:01 -0500

CVE-2017-9789: Read after free in mod_http2.c

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.26

Description:
When under stress, closing many connections, the HTTP/2
handling code would sometimes access memory after it has
been freed, resulting in potentially erratic behaviour.

Mitigation:
2.4.26 users of mod_http2 should upgrade to 2.4.27.

Credit:
The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.

References:
https://httpd.apache.org/security_report.html
Comment 1 Marcus Meissner 2017-07-13 15:50:57 UTC 
assuming this does not affect SLE; please fix opensuse factory.
Comment 2 Petr Gajdos 2017-07-17 12:58:08 UTC 
2.4.27 submitted into factory.
Comment 4 Swamp Workflow Management 2018-01-29 14:09:00 UTC 
SUSE-SU-2018:0261-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1042037,1045160,1048575,1057406
CVE References: CVE-2017-7659,CVE-2017-9789
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    apache2-2.4.23-29.13.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    apache2-2.4.23-29.13.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    apache2-2.4.23-29.13.1
SUSE Linux Enterprise Server 12-SP3 (src):    apache2-2.4.23-29.13.1
SUSE Linux Enterprise Server 12-SP2 (src):    apache2-2.4.23-29.13.1
Comment 5 Swamp Workflow Management 2018-01-30 14:23:55 UTC 
openSUSE-SU-2018:0291-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1042037,1045160,1048575,1057406
CVE References: CVE-2017-7659,CVE-2017-9789
Sources used:
openSUSE Leap 42.3 (src):    apache2-2.4.23-19.1
First Last Prev Next    This bug is not in your last search results.