Arch Linux Security Advisory ASA-201807-12 ========================================== Severity: Medium Date : 2018-07-20 CVE-ID : CVE-2018-1333 CVE-2018-8011 Package : apache Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-736 Summary ======= The package apache before version 2.4.34-1 is vulnerable to denial of service. Resolution ========== Upgrade to 2.4.34-1. # pacman -Syu "apache>=2.4.34-1" The problems have been fixed upstream in version 2.4.34. Workaround ========== None. Description =========== - CVE-2018-1333 (denial of service) By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. - CVE-2018-8011 (denial of service) By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Impact ====== A remote attacker is able to cause a denial of service via a crafted HTTP request. References ========== https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-1333 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011 https://security.archlinux.org/CVE-2018-1333 https://security.archlinux.org/CVE-2018-8011