Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918415

Summary: net-proxy/haproxy: http/2 rapid reset vulnerability
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: bertrand, idl0r
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/haproxy/haproxy/issues/2312
Whiteboard: A3 [upstream]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 915553    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-24 18:45:09 UTC 
CVE-2023-44487:

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

According to upstream, "So far I failed to harm the process more than
with regular traffic (neither CPU nor concurrency)."

So maybe not affected?