Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 718952

Summary: <www-servers/h2o-2.2.6: Multiple vulnerabilities (CVE-2019-{9512,9514,9515})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hattya
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/h2o/h2o/issues/2090
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 719460    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-23 02:06:40 UTC 
The bug has a great summary [0] for us:
"Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following:
    CVE-2019-9512 (Ping Flood)
    CVE-2019-9514 (Reset Flood)
    CVE-2019-9515 (Settings Flood)"


[0] https://github.com/h2o/h2o/issues/2090#issue-479463015
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-23 02:07:05 UTC 
@maintainer(s), please bump to 2.2.6!
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-26 00:08:47 UTC 
Note that these issues also applied to other applications, e.g. bug 692152.
Comment 3 Larry the Git Cow gentoo-dev 2020-04-30 13:07:38 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e458c40a76090011313d131dd7ad35dca540902e

commit e458c40a76090011313d131dd7ad35dca540902e
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2020-04-30 13:07:04 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2020-04-30 13:07:04 +0000

    www-servers/h2o: drop old
    
    Bug: https://bugs.gentoo.org/718952
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 www-servers/h2o/Manifest         |   1 -
 www-servers/h2o/h2o-2.2.5.ebuild | 106 ---------------------------------------
 2 files changed, 107 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00fbe838b896037e6aec6b8d1dc83003dc7960e0

commit 00fbe838b896037e6aec6b8d1dc83003dc7960e0
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2020-04-30 13:05:11 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2020-04-30 13:05:11 +0000

    www-servers/h2o: amd64/x86 stable
    
    Bug: https://bugs.gentoo.org/718952
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 www-servers/h2o/h2o-2.2.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-30 13:09:55 UTC 
Thanks!