Quang Luong

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server (affected versions not specified) mod http2 versions prior to 2.0.41 **Description** Apache HTTP Server incorrectly handles certain cookie headers in its HTTP/2 implementation, leading to a denial of service. This issue, known as the HTTP/2 Bomb, chains two techniques: HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow-control stalling. HPACK compression amplification occurs when a header is inserted into the HPACK dynamic table and referenced repeatedly, causing the server to allocate increasing amounts of memory. Flow-control stalling prevents the server from freeing this memory by advertising a zero-byte flow-control window and sending small `WINDOW UPDATE` frames to avoid timeouts. This allows a single client with a home internet connection to exhaust tens of gigabytes of server memory in seconds. Over 880,000 sites are potentially exposed. **Recommendations** Update mod http2 to version 2.0.41. Disable HTTP/2 entirely if updating is not feasible. Restrict access to the vulnerable HTTP/2 endpoint by using a reverse proxy or content delivery network (CDN) that enforces hard header-count limits.

**Name of the Vulnerable Software and Affected Versions** Apache Aurora (affected versions not specified) **Description** The issue is related to the exposure of sensitive information. An endpoint that exposes internals to unauthenticated users can be used as a "padding oracle", allowing an anonymous attacker to construct a valid authentication cookie. This could potentially be combined with vulnerabilities in other components to achieve remote code execution. The project is retired, and no fix is planned. **Recommendations** As the project is retired and no version with a fix will be released, users are recommended to find an alternative. Restrict access to the instance to trusted users to minimize the risk of exploitation.