A possible workaround for this issue is to add the following code to the bottom of the script to limit the size of incoming POST variables: require "post" post = Post.new(request) if post.params.size > 10 # limit the size of POST variables end
This issue has been addressed in Apache HTTP Server 2.4.54 and later. A malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.This issue has been addressed in Apache HTTP Server 2.4.54 and later. CVE-2018-9800: An issue has been identified in the mod_status module that allows a remote attacker to cause a denial of service. This issue occurs because mod_status does not handle requests with User-Agent strings that contain a string that is not a supported User-Agent string. This may lead to an Apache process crash. A possible workaround for this issue is to add the following code to the bottom of the script to limit the size of incoming POST variables:require "post" post = Post.new(request) if post.params.size > 10 # limit the size of POST variables end This issue has been addressed in Apache HTTP Server 2.4.54 and later. A malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.This issue has
HTTP/2 and lua API changes
There are certain changes in the HTTP/2 protocol and the lua API that may cause a memory leak. These changes have been addressed in Apache HTTP Server 2.4.54 and later.
Timeline
Published on: 06/09/2022 17:15:00 UTC
Last modified on: 08/24/2022 18:17:00 UTC
References
- http://www.openwall.com/lists/oss-security/2022/06/08/5
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://security.netapp.com/advisory/ntap-20220624-0005/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
- https://security.gentoo.org/glsa/202208-20
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29404