CVE-2023-45802/CVE-2023-43622 - HTTPD - HTTP/2 RST/DoS
-
Hey hey! This was just announced a few hours ago BUT we had some warning from the Apache team so we actually built in the fix for this into our ea-nghttp2 package that we released last week:
(yes, it's a different CVE number, but as long as you have that update, you're protected from the two CVEs mentioned in this post) We do still plan on bumping the Apache version as well, but that likely won't happen until next Wednesday as part of our normal release cycle. In short, there's nothing to worry about with cPanel at this time.0 -
[15:25:18 root@host:~] rpm -qi ea-nghttp2 | grep Version Version : 1.57.0 [15:25:48 root@host:~] rpm -q --changelog ea-nghttp2 | grep CVE-2023-44487 - CVE-2023-44487 - The HTTP/2 protocol allows a denial of service (server resource consumption)
@cPRex, thank you for the details, appreciated as always =)0 -
Sure thing! 0 -
Need to update to Apache 2.4.58 * CVE-2023-45802 | CVSSv3 Meta 5.3 (base) 5.1 (temp) | Apache HTTP Server HTTP/2 denial of service | * CVE-2023-31122 | CVSSv3 Meta 5.5 (base) 5.3 (temp) | Apache HTTP Server mod_macro memory corruption | 0
Please sign in to leave a comment.
Comments
4 comments