The Apache Haus Forum

Forum Topics => News & General Discussion => Topic started by: Gregg on August 15, 2019, 12:24:10 AM

Title: Vulnerability in nghht2 1.39.1 and earlier
Post by: Gregg on August 15, 2019, 12:24:10 AM
Isn't that special!

Not 24 hours after Apache 2.4.41 released nghttp2 released version 1.39.2 to fix these vulnerabilities. Argh!

Normally I just let it go because it's usually some minor bug fix but NO, it fixes a remotely exploitable Denial of Service vulnerability that I would classify as "High Severity" if using mod_http2.

I found out about it not from the usual places I get information like this but from El Reg ( of all places. If you look at this list of applications ( affected you will notice it says Apache is not affected, but nghttp2 is which mod_http2 uses. I think it's best to just play it safe and update.

I've already put new downloads on the download page but anyone who downloaded a non-r2 package (within last 36 hours +/- as of this post) should update the nghttp2.dll file in Apache's bin folder.

Replacement DLL Apache 2.4.41 VC14 (with OpenSSL 1.0.2s or LibreSSL 2.9.2)


Replacement DLL Apache 2.4.41 VC15 (with OpenSSL 1.1.1c)