""" This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513 “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. Fix CVE-2019-9511 and CVE-2019-9513 Add nghttp2_option_set_max_outbound_ack API function nghttpx: Fix request stall """ Oddly, these more or less generic vulnerabilities have been claimed as aliases by bug #692102 already.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf17d7b92109b8841a3cd7418bf098705d668cbb commit cf17d7b92109b8841a3cd7418bf098705d668cbb Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-08-14 05:54:55 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-08-14 05:54:55 +0000 net-libs/nghttp2: Security bump to version 1.39.2 Bug: https://bugs.gentoo.org/692112 Package-Manager: Portage-2.3.71, Repoman-2.3.17 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-libs/nghttp2/Manifest | 1 + net-libs/nghttp2/nghttp2-1.39.2.ebuild | 75 ++++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+)
arm64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdcb8b19d690f92b3089f62fcf95e922c4ff0c7b commit bdcb8b19d690f92b3089f62fcf95e922c4ff0c7b Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2019-08-14 23:38:09 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2019-08-14 23:39:15 +0000 net-libs/nghttp2: 1.39.2 amd64 stable Bug: https://bugs.gentoo.org/692112 Package-Manager: Portage-2.3.71, Repoman-2.3.17 Signed-off-by: Zac Medico <zmedico@gentoo.org> net-libs/nghttp2/nghttp2-1.39.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
sparc stable
hppa stable
x86 stable
ia64/ppc/ppc64 stable
s390 stable
alpha stable
arm stable
@maintainer, please drop vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1295ce24c304818ce199d5466f7e0732fee2b1fe commit 1295ce24c304818ce199d5466f7e0732fee2b1fe Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-09-03 07:49:27 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-09-03 07:49:27 +0000 net-libs/nghttp2: Security cleanup Bug: https://bugs.gentoo.org/692112 Package-Manager: Portage-2.3.75, Repoman-2.3.17 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-libs/nghttp2/Manifest | 1 - net-libs/nghttp2/nghttp2-1.39.1.ebuild | 75 ---------------------------------- 2 files changed, 76 deletions(-)
(In reply to Larry the Git Cow from comment #12) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=1295ce24c304818ce199d5466f7e0732fee2b1fe > > commit 1295ce24c304818ce199d5466f7e0732fee2b1fe > Author: Lars Wendler <polynomial-c@gentoo.org> > AuthorDate: 2019-09-03 07:49:27 +0000 > Commit: Lars Wendler <polynomial-c@gentoo.org> > CommitDate: 2019-09-03 07:49:27 +0000 > > net-libs/nghttp2: Security cleanup > > Bug: https://bugs.gentoo.org/692112 > Package-Manager: Portage-2.3.75, Repoman-2.3.17 > Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> > > net-libs/nghttp2/Manifest | 1 - > net-libs/nghttp2/nghttp2-1.39.1.ebuild | 75 > ---------------------------------- > 2 files changed, 76 deletions(-) Danke!
