A vulnerability was found in httpd. By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18. External references: http://httpd.apache.org/security/vulnerabilities_24.html
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1336351]
Upstream commit: http://svn.apache.org/viewvc?view=revision&revision=1733727 Backported to 2.4.x branch via: http://svn.apache.org/viewvc?view=revision&revision=1734413 Included in 2.4.19, which was not released.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:1161 https://access.redhat.com/errata/RHSA-2017:1161