CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames
Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.17 to 2.4.34 Description: By sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. Mitigation: All httpd users should upgrade to 2.4.35 or later. Credit: The issue was discovered by Gal Goldshtein of F5 Networks. References: https://httpd.apache.org/security/vulnerabilities_24.html