Launchpad CVE tracker

CVE 2018-1302

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.

Related bugs and status

CVE-2018-1302 (Candidate) is related to these bugs:

Bug #1770242: Please merge from debian 2.4.33

Summary				In	Importance	Status
	1770242	Please merge from debian 2.4.33		apache2 (Ubuntu)	Low	Fix Released

Bug #1840188: Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco

Summary				In	Importance	Status
	1840188	Apply fix for CVE-2019-0197 in v2.4.29 in Bionic and Disco		apache2 (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2018032...
CONFIRM: https://httpd.apache.o...
SECTRACK: 1040567
BID: 103528
CONFIRM: https://security.netap...
UBUNTU: USN-3783-1
CONFIRM: https://support.hpe.co...
REDHAT: RHSA-2019:0366
REDHAT: RHSA-2019:0367
MLIST: [httpd-cvs] 20190815 s...
MLIST: [httpd-cvs] 20190815 s...
CONFIRM: https://www.tenable.co...
MLIST: [httpd-cvs] 20200401 s...
MLIST: [httpd-cvs] 20200401 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210603 s...
MLIST: [httpd-cvs] 20210606 s...

Launchpad.net

CVE 2018-1302

Related bugs and status

Related bugs

References