Check the bugzilla thread for all the details: https://bz.apache.org/bugzilla/show_bug.cgi?id=63098 The short version is that HTTPD developers found that the bug can only be reproduced under specific conditions with debugging options turned on, which is not the way people usually run the server (with the exception of OpenBSD ports distribution which had another mitigating factor).
There is also a post about h2 specifically: https://icing.github.io/mod_h2/pool-debugging.html - Y On Tue, Jan 22, 2019 at 7:57 PM Dan Ehrlich <d...@ehrlichserver.com> wrote: > Is this true? > > https://github.com/hannob/apache-uaf/blob/master/README.md > > Was this security vulnerability really treated with such disregard by > Apache HTTPD devs? > > I am aware the work that they do is free, but I contribute to plenty of > open source for free and take the responsibility very seriously. > > This is extremely disturbing and we should all be concerned. > > If there was an oversight I made or this story changed please respond and > correct me and I apologize in advance. > > > >
