Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 718952 - <www-servers/h2o-2.2.6: Multiple vulnerabilities (CVE-2019-{9512,9514,9515})
Summary: <www-servers/h2o-2.2.6: Multiple vulnerabilities (CVE-2019-{9512,9514,9515})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/h2o/h2o/issues/2090
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517
  Show dependency tree
 
Reported: 2020-04-23 02:06 UTC by Sam James
Modified: 2020-05-04 01:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-23 02:06:40 UTC 
The bug has a great summary [0] for us:
"Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following:
    CVE-2019-9512 (Ping Flood)
    CVE-2019-9514 (Reset Flood)
    CVE-2019-9515 (Settings Flood)"


[0] https://github.com/h2o/h2o/issues/2090#issue-479463015
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-23 02:07:05 UTC 
@maintainer(s), please bump to 2.2.6!
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-26 00:08:47 UTC 
Note that these issues also applied to other applications, e.g. bug 692152.
Comment 3 Larry the Git Cow gentoo-dev 2020-04-30 13:07:38 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e458c40a76090011313d131dd7ad35dca540902e

commit e458c40a76090011313d131dd7ad35dca540902e
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2020-04-30 13:07:04 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2020-04-30 13:07:04 +0000

    www-servers/h2o: drop old
    
    Bug: https://bugs.gentoo.org/718952
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 www-servers/h2o/Manifest         |   1 -
 www-servers/h2o/h2o-2.2.5.ebuild | 106 ---------------------------------------
 2 files changed, 107 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00fbe838b896037e6aec6b8d1dc83003dc7960e0

commit 00fbe838b896037e6aec6b8d1dc83003dc7960e0
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2020-04-30 13:05:11 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2020-04-30 13:05:11 +0000

    www-servers/h2o: amd64/x86 stable
    
    Bug: https://bugs.gentoo.org/718952
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 www-servers/h2o/h2o-2.2.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-30 13:09:55 UTC 
Thanks!