Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 928541 (CVE-2024-28182)

Summary: <net-libs/nghttp2-1.61.0: HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: voyageur
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
Whiteboard: A3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 928585    
Bug Blocks: 928538    

Description Christopher Fore 2024-04-03 22:43:41 UTC 
CVE-2024-28182:

An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.
Comment 1 Bernard Cafarelli gentoo-dev 2024-04-04 06:56:15 UTC 
It sounds like https://github.com/nghttp2/nghttp2/issues/2121 is the upstream tracker, release scheduled for today
Comment 2 Larry the Git Cow gentoo-dev 2024-04-04 12:08:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6243ef44ec96ae59f6fec2bbd4bb44f4ee61e436

commit 6243ef44ec96ae59f6fec2bbd4bb44f4ee61e436
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2024-04-04 12:07:47 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2024-04-04 12:07:58 +0000

    net-libs/nghttp2: add 1.61.0
    
    Bug: https://bugs.gentoo.org/928541
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 net-libs/nghttp2/Manifest              |  1 +
 net-libs/nghttp2/nghttp2-1.61.0.ebuild | 61 ++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
Comment 3 Bernard Cafarelli gentoo-dev 2024-04-04 15:33:12 UTC 
Changes are minimal compared to 1.60.0, which worked fine for me, and no issues in quick testing here - I will open a stabling round for 1.61.0
Comment 4 Larry the Git Cow gentoo-dev 2024-04-29 07:14:04 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e15895318a1239158426b059ce8f1d60a62a7b0a

commit e15895318a1239158426b059ce8f1d60a62a7b0a
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2024-04-29 07:13:10 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2024-04-29 07:13:10 +0000

    net-libs/nghttp2: drop 1.57.0, 1.58.0, 1.59.0, 1.60.0
    
    Bug: https://bugs.gentoo.org/928541
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 net-libs/nghttp2/Manifest              |  4 ---
 net-libs/nghttp2/nghttp2-1.57.0.ebuild | 58 ----------------------------------
 net-libs/nghttp2/nghttp2-1.58.0.ebuild | 58 ----------------------------------
 net-libs/nghttp2/nghttp2-1.59.0.ebuild | 58 ----------------------------------
 net-libs/nghttp2/nghttp2-1.60.0.ebuild | 56 --------------------------------
 5 files changed, 234 deletions(-)