A vulnerability was found in httpd, where using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1743975] Created mod_http2 tracking bugs for this issue: Affects: fedora-all [bug 1743976] Created nghttp2 tracking bugs for this issue: Affects: epel-all [bug 1743977] Affects: fedora-all [bug 1743979] Created nginx tracking bugs for this issue: Affects: fedora-all [bug 1743981] Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1743978] Affects: fedora-all [bug 1743980]
External References: https://httpd.apache.org/security/vulnerabilities_24.html
Could you please explain why you created tracking bugs for nghttp2?
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Enterprise Web Server 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Mitigation: This flaw is only exploitable if Apache httpd is configured to respond to HTTP/2 requests, which is done by including "h2" or "h2c" in the "Protocols" list in a configuration file. The following command can be used to search for possible vulnerable configurations: grep -R '^\s*Protocols\>.*\<h2\>' /etc/httpd/ See https://httpd.apache.org/docs/2.4/mod/mod_http2.html
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP2 Via RHSA-2020:1336 https://access.redhat.com/errata/RHSA-2020:1336
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 JBoss Core Services on RHEL 7 Via RHSA-2020:1337 https://access.redhat.com/errata/RHSA-2020:1337
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10082
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4751 https://access.redhat.com/errata/RHSA-2020:4751