Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <E1ezZFo-00031W-7i@romulus.home.bitnebula.com>
Date: Fri, 23 Mar 2018 21:50:00 -0500
From: Daniel Ruggeri <druggeri@...che.org>
To: announce@...pd.apache.org, oss-security@...ts.openwall.com,
    security@...pd.apache.org
Subject: CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request


CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.0.1 to 2.4.29

Description:
A specially crafted request could have crashed the Apache HTTP Server prior to
version 2.4.30, due to an out of bound access after a size limit is reached by
reading the HTTP header. This vulnerability is considered very hard if not
impossible to trigger in non-debug mode (both log and build level), so it is
classified as low risk for common server usage.

Mitigation:
All httpd users should upgrade to 2.4.30 or later.

Credit:
The issue was discovered by Robert Swiecki, bug found by honggfuzz

References:
https://httpd.apache.org/security/vulnerabilities_24.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.