The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Please add nghttp2-1.57.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5788abe47326ee17b77c3e6649d980a1215b24a0 commit 5788abe47326ee17b77c3e6649d980a1215b24a0 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2023-10-11 12:34:33 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2023-10-11 12:34:33 +0000 net-libs/nghttp2: add 1.57.0 Closes: https://bugs.gentoo.org/915550 Bug: https://bugs.gentoo.org/915554 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-libs/nghttp2/Manifest | 1 + net-libs/nghttp2/nghttp2-1.57.0.ebuild | 58 ++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+)
I am quickly testing bumped version on my server - will open a stable request in a few hours if it looks OK
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=060dd1d5f79e1e19c5577a232d95d6b75f628c70 commit 060dd1d5f79e1e19c5577a232d95d6b75f628c70 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2023-11-30 07:58:50 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2023-11-30 07:58:50 +0000 net-libs/nghttp2: remove vulnerable versions Bug: https://bugs.gentoo.org/915554 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-libs/nghttp2/Manifest | 4 -- net-libs/nghttp2/nghttp2-1.51.0-r1.ebuild | 79 ------------------------------- net-libs/nghttp2/nghttp2-1.51.0.ebuild | 76 ----------------------------- net-libs/nghttp2/nghttp2-1.52.0.ebuild | 58 ----------------------- net-libs/nghttp2/nghttp2-9999.ebuild | 1 - 5 files changed, 218 deletions(-)