Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 915567 - <www-servers/h2o-2.2.6-r2: HTTP/2 Rapid Reset vulnerabilitiy
Summary: <www-servers/h2o-2.2.6-r2: HTTP/2 Rapid Reset vulnerabilitiy
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 920513
Blocks: CVE-2023-44487
  Show dependency tree
 
Reported: 2023-10-11 05:59 UTC by Hans de Graaff
Modified: 2024-11-17 10:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2023-10-11 05:59:39 UTC
Impact

H2O is vulnerable to the HTTP/2 Rapid Reset attack.

An attacker might be able to consume more than adequate amount of processing power of h2o and the backend servers by mounting the attack.
Patches

All commits up to cb9f500 are vulnerable.

The vulnerability is fixed by #3291. Users are advised to upgrade to commit 28fe151 or above that incorporates this pull request.
Comment 1 Larry the Git Cow gentoo-dev 2023-10-22 13:44:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24f20ce718815bfd0a2db32f9fb116ec81a9e58c

commit 24f20ce718815bfd0a2db32f9fb116ec81a9e58c
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2023-10-22 13:38:38 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2023-10-22 13:38:38 +0000

    www-servers/h2o: fix CVE-2023-44487
    
    Bug: https://bugs.gentoo.org/915567
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch | 225 +++++++++++++++++++++
 www-servers/h2o/h2o-2.2.6-r2.ebuild                | 107 ++++++++++
 2 files changed, 332 insertions(+)
Comment 2 Anthony Ryan 2023-12-07 18:23:10 UTC
This bug is interesting in that the upstream has now decided that they're no longer going to tag release ever again.

They now consider the git master branch to be the latest stable release at all times.

For fixing this in the tree, should we start simply doing semi-arbitrary dates for releases?
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-22 01:34:24 UTC
(In reply to Anthony Ryan from comment #2)
> This bug is interesting in that the upstream has now decided that they're no
> longer going to tag release ever again.
> 
> They now consider the git master branch to be the latest stable release at
> all times.
> 
> For fixing this in the tree, should we start simply doing semi-arbitrary
> dates for releases?

That's one way to do it!
Comment 4 Larry the Git Cow gentoo-dev 2024-11-16 14:02:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abd0bfd71ef191a04cfb2c86ba495208d3966efc

commit abd0bfd71ef191a04cfb2c86ba495208d3966efc
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2024-11-16 13:56:32 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2024-11-16 14:01:31 +0000

    www-servers/h2o: new snapshot
    
    Bug: https://bugs.gentoo.org/915567
    Bug: https://bugs.gentoo.org/919882
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 www-servers/h2o/Manifest                     |   1 +
 www-servers/h2o/h2o-2.3.0_pre20241014.ebuild | 105 +++++++++++++++++++++++++++
 2 files changed, 106 insertions(+)