Allele Security Alert
mod_http2, possible crash on late upgrade
Apache Software Foundation
Apache HTTP Server (httpd)
Apache HTTP Server version 2.4.34 to 2.4.38
Apache HTTP Server version 2.4.39
Proof of concept
When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Servers that never enabled the h2 protocol or only enabled it for https: and did not set “H2Upgrade on” are unaffected by this issue.
Stefan Eissing (greenbytes.de)
httpd 2.4 vulnerabilities – The Apache HTTP Server Project
CVE-2019-0197: mod_http2, possible crash on late upgrade
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019