915567 – <www-servers/h2o-2.2.6-r2: HTTP/2 Rapid Reset vulnerabilitiy

Bug 915567 - <www-servers/h2o-2.2.6-r2: HTTP/2 Rapid Reset vulnerabilitiy

Summary: <www-servers/h2o-2.2.6-r2: HTTP/2 Rapid Reset vulnerabilitiy

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	920513
Blocks:	CVE-2023-44487
	Show dependency tree

Reported:	2023-10-11 05:59 UTC by Hans de Graaff
Modified:	2024-11-17 10:23 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hans de Graaff gentoo-dev

2023-10-11 05:59:39 UTC

Impact

H2O is vulnerable to the HTTP/2 Rapid Reset attack.

An attacker might be able to consume more than adequate amount of processing power of h2o and the backend servers by mounting the attack.
Patches

All commits up to cb9f500 are vulnerable.

The vulnerability is fixed by #3291. Users are advised to upgrade to commit 28fe151 or above that incorporates this pull request.

Comment 1 Larry the Git Cow gentoo-dev

2023-10-22 13:44:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24f20ce718815bfd0a2db32f9fb116ec81a9e58c

commit 24f20ce718815bfd0a2db32f9fb116ec81a9e58c
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2023-10-22 13:38:38 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2023-10-22 13:38:38 +0000

    www-servers/h2o: fix CVE-2023-44487
    
    Bug: https://bugs.gentoo.org/915567
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch | 225 +++++++++++++++++++++
 www-servers/h2o/h2o-2.2.6-r2.ebuild                | 107 ++++++++++
 2 files changed, 332 insertions(+)

Comment 2 Anthony Ryan 2023-12-07 18:23:10 UTC

This bug is interesting in that the upstream has now decided that they're no longer going to tag release ever again.

They now consider the git master branch to be the latest stable release at all times.

For fixing this in the tree, should we start simply doing semi-arbitrary dates for releases?

Comment 3 John Helmert III archtester

2023-12-22 01:34:24 UTC

(In reply to Anthony Ryan from comment #2)
> This bug is interesting in that the upstream has now decided that they're no
> longer going to tag release ever again.
> 
> They now consider the git master branch to be the latest stable release at
> all times.
> 
> For fixing this in the tree, should we start simply doing semi-arbitrary
> dates for releases?

That's one way to do it!

Comment 4 Larry the Git Cow gentoo-dev

2024-11-16 14:02:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abd0bfd71ef191a04cfb2c86ba495208d3966efc

commit abd0bfd71ef191a04cfb2c86ba495208d3966efc
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2024-11-16 13:56:32 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2024-11-16 14:01:31 +0000

    www-servers/h2o: new snapshot
    
    Bug: https://bugs.gentoo.org/915567
    Bug: https://bugs.gentoo.org/919882
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 www-servers/h2o/Manifest                     |   1 +
 www-servers/h2o/h2o-2.3.0_pre20241014.ebuild | 105 +++++++++++++++++++++++++++
 2 files changed, 106 insertions(+)