Show threadJdeBP6h ago

@wild1145

Does your system show stats about how many transactions connections serviced before they closed? Or, alternatively, what the lifetimes of established connections are?

I'm asking because I'm putting the occasional knob into the HTTP server in #djbwares and you've made me think about transaction caps and what's reasonable when one is under attack from an LLM scraper; when one really doesn't want the attacker to be able to hold existing connections open indefinitely.

#httpd

[aj]Jun 10

Apache httpd 2.4.68 has been released! It includes a mod_http2 update to 2.0.42, which includes more fixes for the recently announced "HTTP/2 Bomb"

https://downloads.apache.org/httpd/CHANGES_2.4.68

https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

For more info, here's a post @icing wrote about the original "HPACK Bombing Apache" about a year ago:

https://eissing.org/icing/posts/hpack-bombing-apache/

#apache #httpd #http2bomb #security

Peter N. M. HansteenJun 5
Random relinking at boot comes to httpd(8) and smtpd(8) https://www.undeadly.org/cgi?action=article;sid=20260605064136 #openbsd #relink #randomrelink #httpd #smtpd #opensmtpd #security #development #freesoftware #libresoftware
Random relinking at boot comes to httpd(8) and smtpd(8)

Show thread๐•‚๐šž๐š‹๐š’๐š”โ„™๐š’๐šก๐šŽ๐š•Jun 4

@flxtr anscheinend sind es die closed-source HTTP/2 server wider die, die noch nicht schnell gepatcht sind  https://tech.lgbt/@lerothas/116692832291204241

#http2 #break #http2Bomb #compression #web #http #nginx #Apache #httpd #Microsoft #IIS #Envoy #Cloudflare #Pingora #Apachehttpd #MicrosoftIIS #CloudflarePingora #webserver #server

Stefan 'lerothas' D. :v_gay2: (@[email protected])

Die Open Source Programme nginx und Apache httpd sind bereits gepatcht, die Closed Source Programme von u.a. MicroSlop sind noch angreifbar. Aber Open Source isr ja viel zu unsicher und eh nur Hobby Projekte. Nicht wahr? Nur ein Client nรถtig HTTP/2 Bomb legt Webserver in Sekunden lahm https://www.golem.de/news/nur-ein-client-noetig-http-2-bomb-legt-webserver-in-sekunden-lahm-2606-209396.html #nginx #apachehttpd #MicrosoftIIS #http2bomb #opensource

LGBTQIA+ and Tech
[aj]Jun 4

Codex Discovered a Hidden HTTP/2 Bomb

https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

#http #http2 #http2bomb #apache #httpd #nginx #envoy #IIS #cve #cve_2026_49975

Codex Discovered a Hidden HTTP/2 Bomb

14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP/2. Life has come full circle: today we're releasing an attack I missed.

Calif
๐•‚๐šž๐š‹๐š’๐š”โ„™๐š’๐šก๐šŽ๐š•Jun 4

Codex Discovered a Hidden HTTP/2 Bomb

14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP/2. Life has come full circle: today we're releasing an attack I missed.

๐Ÿ’ฅ https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

#http2 #break #http2Bomb #compression #web #http #nginx #Apache #httpd #Microsoft #IIS #Envoy #Cloudflare #Pingora #Apachehttpd #MicrosoftIIS #CloudflarePingora #webserver #server

Codex Discovered a Hidden HTTP/2 Bomb

14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP/2. Life has come full circle: today we're releasing an attack I missed.

Calif
Neustradamus :xmpp: :linux:May 29
#Freenginx 1.31.2 has been released ( #nginx / #http / #http2 / #http3 / #httpd / #Web / #Webserver / #TLS / #TLS13 ) https://freenginx.org/
freenginx news

Neustradamus :xmpp: :linux:May 26
#nginx 1.31.1 (dev) has been released ( #http / #http2 / #http3 / #httpd / #Web / #Webserver / #TLS / #TLS13 / #CVE / #SecurityVulnerability ) https://nginx.org/
nginx

Neustradamus :xmpp: :linux:May 26
#nginx 1.30.2 has been released ( #http / #http2 / #http3 / #httpd / #Web / #Webserver / #TLS / #TLS13 / #CVE / #SecurityVulnerability ) https://nginx.org/
nginx

Adhidarma Hadiwinoto May 6

Yang masih pakai #httpd nya #apache silahkan dicek, kena impact-nya gak

Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html

#cve #infosec

Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

Apache fixes CVE-2026-23918 in HTTP/2; double-free flaw enables DoS and RCE, impacting version 2.4.66 users.

The Hacker News