CVE-2018-1302

NameCVE-2018-1302
DescriptionWhen an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)buster2.4.38-3+deb10u8fixed
buster (security)2.4.38-3+deb10u7fixed
bullseye2.4.54-1~deb11u1fixed
bullseye (security)2.4.52-1~deb11u2fixed
bookworm, sid2.4.54-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcewheezy(not affected)
apache2sourcejessie(not affected)
apache2sourcestretch2.4.25-3+deb9u5
apache2source(unstable)2.4.33-1

Notes

[jessie] - apache2 <not-affected> (Vulnerable code not present)
[wheezy] - apache2 <not-affected> (Vulnerable code not present)
HTTP/2 support introduced in 2.4.17
https://www.openwall.com/lists/oss-security/2018/03/24/5

Search for package or bug name: Reporting problems