Bug 1463199 - (CVE-2017-7659) CVE-2017-7659 httpd: mod_http2 NULL pointer dereference
CVE-2017-7659 httpd: mod_http2 NULL pointer dereference
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170620,repor...
: Security
Depends On: 1463208 1465916 1473691
Blocks: 1463212 1464082
  Show dependency treegraph
 
Reported: 2017-06-20 07:23 EDT by Andrej Nemec
Modified: 2018-03-01 02:26 EST (History)
40 users (show)

See Also:
Fixed In Version: httpd 2.4.26
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the mod_http2 module of httpd. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP/2 request.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-17 03:38:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2017-06-20 07:23:55 EDT
It was found in httpd that a maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process.

External References:

https://httpd.apache.org/security/vulnerabilities_24.html
Comment 1 Andrej Nemec 2017-06-20 07:37:46 EDT
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1463208]
Comment 2 Tomas Hoger 2017-06-22 08:27:21 EDT
Upstream commit (trunk):

https://github.com/apache/httpd/commit/672187c168b94b562d8065e08e2cad5b00cdd0e3

Backported to 2.4 as part of a larger commit with other changes:

https://github.com/apache/httpd/commit/bc6ad1ef31f2c9e8f5eb453293a4b9caceaa191d
Comment 11 errata-xmlrpc 2017-08-16 19:06:52 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2483

Note You need to log in before you can comment on or make changes to this bug.