Has anyone been able to definitively determine if Apache HTTP 2.4.53 is
vulnerable to CVE-2023-44487? I've found forums where users and apparent
sysadmins indicate it may be, however the only reference to this CVE I've
been able to locate on Apache.org is as a comment made within another CVE
Severity: moderate
Affected versions:
- Apache HTTP Server 2.4.17 through 2.4.57
Description:
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window
were the request's memory resources were not reclaimed immediately. Instead,
de-allocation was deferred to
Severity: low
Affected versions:
- Apache HTTP Server 2.4.55 through 2.4.57
Description:
An attacker, opening a HTTP/2 connection with an initial window size of 0, was
able to block handling of that connection indefinitely in Apache HTTP Server.
This could be used to exhaust worker
Severity: low
Affected versions:
- Apache HTTP Server through 2.4.57
Description:
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue
affects Apache HTTP Server: through 2.4.57.
Credit:
David Shoon (github/davidshoon) (finder)
References: