====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN301
_____________________________________________________________________

DATE                : 26/09/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache versions 2.4.18 up to
                                 and including 2.4.34.

=====================================================================
https://httpd.apache.org/security/vulnerabilities_24.html
_____________________________________________________________________

 Fixed in Apache httpd 2.4.35

low: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)

    By sending continous SETTINGS frames of maximum size an ongoing
HTTP/2 connection could be kept busy and would never time out. This can
be abused for a DoS on the server. This only affect a server that has
enabled the h2 protocol.

    Acknowledgements: The issue was discovered by Gal Goldshtein of F5
Networks.


    Reported to security team 	18th July 2018
    Issue public 	        25th September 2018
    Affects 	                2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28,
                                2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20,
                                2.4.18

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================