Описание
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 2.4.64-1ubuntu1 |
| esm-infra-legacy/trusty | needs-triage | |
| esm-infra/bionic | released | 2.4.29-1ubuntu4.27+esm6 |
| esm-infra/focal | released | 2.4.41-4ubuntu3.23+esm2 |
| esm-infra/xenial | released | 2.4.18-2ubuntu3.17+esm16 |
| jammy | released | 2.4.52-1ubuntu4.15 |
| noble | released | 2.4.58-1ubuntu8.7 |
| plucky | released | 2.4.63-1ubuntu1.1 |
| questing | released | 2.4.64-1ubuntu1 |
| upstream | released | 2.4.64-1 |
Показывать по
7.4 High
CVSS3
Связанные уязвимости
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
In some mod_ssl configurations on Apache HTTP Server versions through ...
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
7.4 High
CVSS3