All,
On 11/13/23 17:36, Chuck Caldarale wrote:
You may have the wrong mailing list - this one is for Tomcat, but your query
seems to be solely about Apache httpd.
Also, the httpd project has stated that they were never vulnerable to
CVE-2023-44487.
https://github.com/icing/blog/blob/main/h2-rapid-reset.md
To be fair, this is not an "official" statement by the httpd team.
With httpd 5.4.58, you should be covered for not only CVE-2023-44487 (h2
rapid reset, which was never really a problem) but also CVE-2023-45802
which was exposed by testing httpd for CVE-2023-44487, but is in fact a
separate issue, now fixed in 5.4.88.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
