Pages

[Gregg]

Isn't that special!

Not 24 hours after Apache 2.4.41 released nghttp2 released version 1.39.2 to fix these vulnerabilities. Argh!

Normally I just let it go because it's usually some minor bug fix but NO, it fixes a remotely exploitable Denial of Service vulnerability that I would classify as "High Severity" if using mod_http2.

I found out about it not from the usual places I get information like this but from El Reg of all places. If you look at this list of applications affected you will notice it says Apache is not affected, but nghttp2 is which mod_http2 uses. I think it's best to just play it safe and update.

I've already put new downloads on the download page but anyone who downloaded a non-r2 package (within last 36 hours +/- as of this post) should update the nghttp2.dll file in Apache's bin folder.

Replacement DLL Apache 2.4.41 VC14 (with OpenSSL 1.0.2s or LibreSSL 2.9.2)

x86: https://www.apachehaus.net/temp/nghttp2-1.39.2-x86-vc14.zip
x64: https://www.apachehaus.net/temp/nghttp2-1.39.2-x64-vc14.zip

Replacement DLL Apache 2.4.41 VC15 (with OpenSSL 1.1.1c)

x86: https://www.apachehaus.net/temp/nghttp2-1.39.2-x86-vc15.zip
x64: https://www.apachehaus.net/temp/nghttp2-1.39.2-x64-vc15.zip

Instructions:

• Download the proper zip file for your version of Apache
• Shutdown Apache
• Copy DLL from the zip file into Apache's bin folder overwriting the existing dll
• Start Apache