Hi Rich Thank you very much for the clarification.
Understood that, according to the CERT/CC advisory (VU#767506), the Apache HTTP Server Project is listed as “Not Affected”, and that this status reflects the project's confirmed determination. We will rely on the CERT/CC status as the authoritative assessment from the project. Thank you again for the clear and helpful explanation. Best regards, Yoshihide Ito -----Original Message----- From: Rich Bowen <[email protected]> Sent: Wednesday, April 29, 2026 4:06 AM To: [email protected] Subject: Re: [users@httpd] Does CVE-2025-8671 (MadeYouReset) affect Apache HTTP Server 2.4.46+? [[email protected] からのメールを受け取る頻度は高くありません。これが問題である可能性の理由については、https://aka.ms/LearnAboutSenderIdentification をご覧ください。] Yoshihide, The CERT/CC advisory for this vulnerability (VU#767506) lists the Apache HTTP Server Project as "Not Affected": https://kb.cert.org/vuls/id/767506 The project was notified on 2025-05-28 and the status was confirmed on 2025-08-13. Regarding the detection tool reporting a positive result — the tool may be detecting generic HTTP/2 behavior (like window management) that doesn't actually lead to the exploitable condition in httpd's case. The CERT/CC status is the authoritative determination from the project itself. Hope that helps, --Rich On 2026/03/12 08:13:42 "Yoshihide Ito (Fujitsu) via users" wrote: > Hello httpd users, > > I would like to ask for clarification on whether Apache HTTP Server is > affected by the publicly disclosed HTTP/2 issue “MadeYouReset” > (CVE-2025-8671), and specifically whether httpd 2.4.46 or later should > be considered vulnerable. [1][2] > > Our observations > > - We are aware that Apache httpd's HTTP/2 support is implemented via > mod_http2, and mod_http2 uses nghttp2 as its implementation base. > [3] > > - The nghttp2 project discussed this CVE and indicated that > nghttp2 is not affected (see nghttp2 issue #2484). [4] > > - However, we ran the detection tool published by one of the researchers > (Gal Bar Nahum) against Apache HTTP Server 2.4.46 and 2.4.62 in “checker > mode”. > The tool reported that the “overflow-window” primitive appears to be > applicable / detected for this target. [5] > > Any pointers to prior discussion, documentation, or official > statements would be greatly appreciated. > > Thank you for your time and guidance. > > Best regards, > Yoshihide Ito > > > [1] CERT/CC VU#767506: https://kb.cert.org/vuls/id/767506 > [2] NVD CVE-2025-8671: https://nvd.nist.gov/vuln/detail/CVE-2025-8671 > [3] Apache httpd HTTP/2 guide (mod_http2 uses nghttp2): > https://httpd.apache.org/docs/2.4/howto/http2.html [httpd.apache.org] > [4] Tool by Gal Bar Nahum: https://github.com/galbarnahum/MadeYouReset > [5] nghttp2 issue #2484: > https://github.com/nghttp2/nghttp2/issues/2484 > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
