A possible workaround for this issue is to add the following code to the bottom of the script to limit the size of incoming POST variables: require "post" post = Post.new(request) if post.params.size > 10 # limit the size of POST variables end
This issue has been addressed in Apache HTTP Server 2.4.54 and later. A malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.This issue has been addressed in Apache HTTP Server 2.4.54 and later. CVE-2018-9800: An issue has been identified in the mod_status module that allows a remote attacker to cause a denial of service. This issue occurs because mod_status does not handle requests with User-Agent strings that contain a string that is not a supported User-Agent string. This may lead to an Apache process crash. A possible workaround for this issue is to add the following code to the bottom of the script to limit the size of incoming POST variables:require "post" post = Post.new(request) if post.params.size > 10 # limit the size of POST variables end This issue has been addressed in Apache HTTP Server 2.4.54 and later. A malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.This issue has

HTTP/2 and lua API changes

There are certain changes in the HTTP/2 protocol and the lua API that may cause a memory leak. These changes have been addressed in Apache HTTP Server 2.4.54 and later.

Timeline

Published on: 06/09/2022 17:15:00 UTC
Last modified on: 08/24/2022 18:17:00 UTC

References