Description
By sending request bodies in a slow loris way to plain resources, the h2
stream for that request unnecessarily occupied a server thread cleaning up
that incoming data. This affects only HTTP/2 (mod_http2) connections in
Apache HTTP Server versions 2.4.37 and prior (CVE-2018-17189).
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the
session expiry time before decoding the session. This causes session
expiry time to be ignored for mod_session_cookie sessions since the expiry
time is loaded when the session is decoded (CVE-2018-17199).
The apache package has been updated to version 2.4.38, fixing these issues
and several other bugs. See the upstream CHANGES files for details.