See https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx """ Impact When the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Patches PR #3229 fixes the issue. The pull request has been merged to master in commit f010336. Workarounds Upgrade to commit f010336 or later. At the moment, there is no tagged version with the fix incorporated. Acknowledgements This issue was reported by @ElijahGlover; see #3228. """ NEWS on the main site says (https://h2o.examp1e.net/): """ Due to a security vulnerability, users using h2o as a reverse proxy are advised to update immediately CVE-2023-30847 (Apr 27 2023) """
Please backport the linked patch.
They are updated the advisory. > None of the non-beta released versions (i.e., versions up to 2.2.6) is affected by this vulnerability (May 15 2023). There are no affected versions in the repository.
Vulnerability not in any released versions according to upstream's updated advisory.
