Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2024:3962-1

Опубликовано: 09 нояб. 2024
Источник: suse-cvrf

Описание

Security update for apache2

This update for apache2 fixes the following issues:

  • CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST (bsc#1216423).

Список пакетов

Image SLES15-SP3-SAPCAL-Azure
apache2-2.4.51-150200.3.76.1
apache2-prefork-2.4.51-150200.3.76.1
apache2-utils-2.4.51-150200.3.76.1
Image SLES15-SP3-SAPCAL-EC2-HVM
apache2-2.4.51-150200.3.76.1
apache2-prefork-2.4.51-150200.3.76.1
apache2-utils-2.4.51-150200.3.76.1
Image SLES15-SP3-SAPCAL-GCE
apache2-2.4.51-150200.3.76.1
apache2-prefork-2.4.51-150200.3.76.1
apache2-utils-2.4.51-150200.3.76.1
SUSE Enterprise Storage 7.1
apache2-2.4.51-150200.3.76.1
apache2-devel-2.4.51-150200.3.76.1
apache2-doc-2.4.51-150200.3.76.1
apache2-prefork-2.4.51-150200.3.76.1
apache2-utils-2.4.51-150200.3.76.1
apache2-worker-2.4.51-150200.3.76.1
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
apache2-2.4.51-150200.3.76.1
apache2-devel-2.4.51-150200.3.76.1
apache2-doc-2.4.51-150200.3.76.1
apache2-prefork-2.4.51-150200.3.76.1
apache2-utils-2.4.51-150200.3.76.1
apache2-worker-2.4.51-150200.3.76.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
apache2-2.4.51-150200.3.76.1
apache2-devel-2.4.51-150200.3.76.1
apache2-doc-2.4.51-150200.3.76.1
apache2-prefork-2.4.51-150200.3.76.1
apache2-utils-2.4.51-150200.3.76.1
apache2-worker-2.4.51-150200.3.76.1
SUSE Linux Enterprise Server 15 SP2-LTSS
apache2-2.4.51-150200.3.76.1
apache2-devel-2.4.51-150200.3.76.1
apache2-doc-2.4.51-150200.3.76.1
apache2-prefork-2.4.51-150200.3.76.1
apache2-utils-2.4.51-150200.3.76.1
apache2-worker-2.4.51-150200.3.76.1
SUSE Linux Enterprise Server 15 SP3-LTSS
apache2-2.4.51-150200.3.76.1
apache2-devel-2.4.51-150200.3.76.1
apache2-doc-2.4.51-150200.3.76.1
apache2-prefork-2.4.51-150200.3.76.1
apache2-utils-2.4.51-150200.3.76.1
apache2-worker-2.4.51-150200.3.76.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2
apache2-2.4.51-150200.3.76.1
apache2-devel-2.4.51-150200.3.76.1
apache2-doc-2.4.51-150200.3.76.1
apache2-prefork-2.4.51-150200.3.76.1
apache2-utils-2.4.51-150200.3.76.1
apache2-worker-2.4.51-150200.3.76.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3
apache2-2.4.51-150200.3.76.1
apache2-devel-2.4.51-150200.3.76.1
apache2-doc-2.4.51-150200.3.76.1
apache2-prefork-2.4.51-150200.3.76.1
apache2-utils-2.4.51-150200.3.76.1
apache2-worker-2.4.51-150200.3.76.1

Ссылки

Описание

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Затронутые продукты
Image SLES15-SP3-SAPCAL-Azure:apache2-2.4.51-150200.3.76.1
Image SLES15-SP3-SAPCAL-Azure:apache2-prefork-2.4.51-150200.3.76.1
Image SLES15-SP3-SAPCAL-Azure:apache2-utils-2.4.51-150200.3.76.1
Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-2.4.51-150200.3.76.1
Ссылки