From ${URL} : A vulnerability was found in httpd. By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18. External references: http://httpd.apache.org/security/vulnerabilities_24.html @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Arches please test and mark stable the following list of packages: =app-admin/apache-tools-2.4.20 =www-servers/apache-2.4.20 Target KEYWORDS are: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris
amd64 stable
x86 stable
arm stable
Stable for HPPA PPC64.
Stable on alpha.
ppc stable
Stabilization of higher version happening in bug 588138
CVE-2016-1546 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1546): The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows.
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02 by GLSA coordinator Kristian Fiskerstrand (K_F).
