Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 718952 - <www-servers/h2o-2.2.6: Multiple vulnerabilities (CVE-2019-{9512,9514,9515})
Summary: <www-servers/h2o-2.2.6: Multiple vulnerabilities (CVE-2019-{9512,9514,9515})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/h2o/h2o/issues/2090
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517
  Show dependency tree
 
Reported: 2020-04-23 02:06 UTC by Sam James
Modified: 2020-05-04 01:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-23 02:06:40 UTC
The bug has a great summary [0] for us:
"Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following:
    CVE-2019-9512 (Ping Flood)
    CVE-2019-9514 (Reset Flood)
    CVE-2019-9515 (Settings Flood)"


[0] https://github.com/h2o/h2o/issues/2090#issue-479463015
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-23 02:07:05 UTC
@maintainer(s), please bump to 2.2.6!
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-26 00:08:47 UTC
Note that these issues also applied to other applications, e.g. bug 692152.
Comment 3 Larry the Git Cow gentoo-dev 2020-04-30 13:07:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e458c40a76090011313d131dd7ad35dca540902e

commit e458c40a76090011313d131dd7ad35dca540902e
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2020-04-30 13:07:04 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2020-04-30 13:07:04 +0000

    www-servers/h2o: drop old
    
    Bug: https://bugs.gentoo.org/718952
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 www-servers/h2o/Manifest         |   1 -
 www-servers/h2o/h2o-2.2.5.ebuild | 106 ---------------------------------------
 2 files changed, 107 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00fbe838b896037e6aec6b8d1dc83003dc7960e0

commit 00fbe838b896037e6aec6b8d1dc83003dc7960e0
Author:     Akinori Hattori <hattya@gentoo.org>
AuthorDate: 2020-04-30 13:05:11 +0000
Commit:     Akinori Hattori <hattya@gentoo.org>
CommitDate: 2020-04-30 13:05:11 +0000

    www-servers/h2o: amd64/x86 stable
    
    Bug: https://bugs.gentoo.org/718952
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Akinori Hattori <hattya@gentoo.org>

 www-servers/h2o/h2o-2.2.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-30 13:09:55 UTC
Thanks!