Summary: | <www-servers/h2o-2.2.6-r2: HTTP/2 Rapid Reset vulnerabilitiy | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | anthonyryan1, hattya |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [stable?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 920513 | ||
Bug Blocks: | 915553 |
Description
Hans de Graaff
![]() ![]() The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24f20ce718815bfd0a2db32f9fb116ec81a9e58c commit 24f20ce718815bfd0a2db32f9fb116ec81a9e58c Author: Akinori Hattori <hattya@gentoo.org> AuthorDate: 2023-10-22 13:38:38 +0000 Commit: Akinori Hattori <hattya@gentoo.org> CommitDate: 2023-10-22 13:38:38 +0000 www-servers/h2o: fix CVE-2023-44487 Bug: https://bugs.gentoo.org/915567 Signed-off-by: Akinori Hattori <hattya@gentoo.org> www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch | 225 +++++++++++++++++++++ www-servers/h2o/h2o-2.2.6-r2.ebuild | 107 ++++++++++ 2 files changed, 332 insertions(+) This bug is interesting in that the upstream has now decided that they're no longer going to tag release ever again. They now consider the git master branch to be the latest stable release at all times. For fixing this in the tree, should we start simply doing semi-arbitrary dates for releases? (In reply to Anthony Ryan from comment #2) > This bug is interesting in that the upstream has now decided that they're no > longer going to tag release ever again. > > They now consider the git master branch to be the latest stable release at > all times. > > For fixing this in the tree, should we start simply doing semi-arbitrary > dates for releases? That's one way to do it! |