CVE-2017-9789 is a pure mod_http2 issue. If the protocol is not enabled, it does not trigger. (You could even load the module without exposing the server to the vulnerability)
You need to upgrade at least mod_http2 to a newer version. Hope that clarifies it. Cheers, Stefan > Am 21.09.2017 um 08:39 schrieb Dan Mahoney (Gushi) <d...@prime.gushi.org>: > > Hey all, > > Under FreeBSD, mod_http2 is not compiled by the ports tree by default. > > Are we still vulnerable to this? > > Is there any mitigation strategy besides upgrading? (Disabling htaccess > parsing, for example?) > > -Dan > > -- > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
