Jungun Baek

**Name of the Vulnerable Software and Affected Versions** LibTIFF version 4.0.9 **Description** The issue is related to a heap-based buffer overflow in the TIFFSetupStrips function of the LibTIFF library. This can be exploited by a remote attacker using a specially crafted TIFF file, potentially leading to a denial of service or other unspecified impacts. **Recommendations** For LibTIFF version 4.0.9, consider avoiding the use of the `TIFFSetupStrips` function until a patch is available. As a temporary workaround, restrict the processing of TIFF files from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.17 through 2.4.23 **Description** The issue is related to the mod http2 module in the Apache HTTP Server, which does not restrict request-header length when the Protocols configuration includes h2 or h2c. This allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request. The HTTP/2 protocol implementation had an incomplete handling of the LimitRequestFields directive, allowing an attacker to inject unlimited request headers into the server, leading to eventual memory exhaustion. **Recommendations** For Apache HTTP Server versions 2.4.17 through 2.4.23, consider disabling the mod http2 module until a patch is available to prevent exploitation. Restrict access to the HTTP/2 protocol to minimize the risk of denial of service attacks. Avoid using the `LimitRequestFields` directive in the affected HTTP/2 configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.