Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2018-1301

A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.

Related bugs and status

CVE-2018-1301 (Candidate) is related to these bugs:

Bug #1770242: Please merge from debian 2.4.33

Summary				In	Importance	Status
	1770242	Please merge from debian 2.4.33		apache2 (Ubuntu)	Low	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2018032...
CONFIRM: https://httpd.apache.o...
SECTRACK: 1040573
BID: 103515
DEBIAN: DSA-4164
UBUNTU: USN-3627-1
UBUNTU: USN-3627-2
MLIST: [debian-lts-announce] ...
CONFIRM: https://security.netap...
REDHAT: RHSA-2018:3558
CONFIRM: https://support.hpe.co...
REDHAT: RHSA-2019:0366
REDHAT: RHSA-2019:0367
UBUNTU: USN-3937-2
MLIST: [httpd-cvs] 20190815 s...
MLIST: [httpd-cvs] 20190815 s...
CONFIRM: https://www.tenable.co...
MLIST: [httpd-cvs] 20200401 s...
MLIST: [httpd-cvs] 20200401 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210603 s...
MLIST: [httpd-cvs] 20210606 s...