When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for https: and did not configure the "H2Upgrade on" is unaffected by this.
External References: https://httpd.apache.org/security/vulnerabilities_24.html http://www.apache.org/dist/httpd/CHANGES_2.4
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1695046]
According to information from upstream, this issue was addressed in httpd 2.4.x commit: http://svn.apache.org/viewvc?view=revision&revision=1855406 This matches the following commit in the mod_http2 github repository: https://github.com/icing/mod_h2/commit/825de6a46027b2f4c30d7ff5a0c8b852d639c207
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-0197
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 JBoss Core Services on RHEL 7 Via RHSA-2020:2644 https://access.redhat.com/errata/RHSA-2020:2644
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2020:2646 https://access.redhat.com/errata/RHSA-2020:2646
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4751 https://access.redhat.com/errata/RHSA-2020:4751