Isn't that special!
Not 24 hours after Apache 2.4.41 released nghttp2 released version 1.39.2 to fix these vulnerabilities. Argh!
Normally I just let it go because it's usually some minor bug fix but NO, it fixes a remotely exploitable Denial of Service vulnerability that I would classify as "High Severity" if using mod_http2.
I found out about it not from the usual places I get information like this but from El Reg (https://www.theregister.co.uk/2019/08/14/http2_flaw_server/) of all places. If you look at this list of applications (https://vuls.cert.org/confluence/pages/viewpage.action?pageId=56393752) affected you will notice it says Apache is not affected, but nghttp2 is which mod_http2 uses. I think it's best to just play it safe and update.
I've already put new downloads on the download page but anyone who downloaded a non-r2 package (within last 36 hours +/- as of this post) should update the nghttp2.dll file in Apache's bin folder.
Replacement DLL Apache 2.4.41 VC14 (with OpenSSL 1.0.2s or LibreSSL 2.9.2)
x86: https://www.apachehaus.net/temp/nghttp2-1.39.2-x86-vc14.zip
x64: https://www.apachehaus.net/temp/nghttp2-1.39.2-x64-vc14.zip
Replacement DLL Apache 2.4.41 VC15 (with OpenSSL 1.1.1c)
x86: https://www.apachehaus.net/temp/nghttp2-1.39.2-x86-vc15.zip
x64: https://www.apachehaus.net/temp/nghttp2-1.39.2-x64-vc15.zip
Instructions:
- Download the proper zip file for your version of Apache
- Shutdown Apache
- Copy DLL from the zip file into Apache's bin folder overwriting the existing dll
- Start Apache