Summary: | <net-libs/nghttp2-1.61.0: HTTP/2 CONTINUATION frames can be utilized for DoS attacks | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christopher Fore <csfore> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | voyageur |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q | ||
Whiteboard: | A3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 928585 | ||
Bug Blocks: | 928538 |
Description
Christopher Fore
2024-04-03 22:43:41 UTC
It sounds like https://github.com/nghttp2/nghttp2/issues/2121 is the upstream tracker, release scheduled for today The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6243ef44ec96ae59f6fec2bbd4bb44f4ee61e436 commit 6243ef44ec96ae59f6fec2bbd4bb44f4ee61e436 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2024-04-04 12:07:47 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2024-04-04 12:07:58 +0000 net-libs/nghttp2: add 1.61.0 Bug: https://bugs.gentoo.org/928541 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-libs/nghttp2/Manifest | 1 + net-libs/nghttp2/nghttp2-1.61.0.ebuild | 61 ++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) Changes are minimal compared to 1.60.0, which worked fine for me, and no issues in quick testing here - I will open a stabling round for 1.61.0 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e15895318a1239158426b059ce8f1d60a62a7b0a commit e15895318a1239158426b059ce8f1d60a62a7b0a Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2024-04-29 07:13:10 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2024-04-29 07:13:10 +0000 net-libs/nghttp2: drop 1.57.0, 1.58.0, 1.59.0, 1.60.0 Bug: https://bugs.gentoo.org/928541 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-libs/nghttp2/Manifest | 4 --- net-libs/nghttp2/nghttp2-1.57.0.ebuild | 58 ---------------------------------- net-libs/nghttp2/nghttp2-1.58.0.ebuild | 58 ---------------------------------- net-libs/nghttp2/nghttp2-1.59.0.ebuild | 58 ---------------------------------- net-libs/nghttp2/nghttp2-1.60.0.ebuild | 56 -------------------------------- 5 files changed, 234 deletions(-) |