Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 726834 (CVE-2020-11080) - <net-libs/nghttp2-1.41.0: denial of service via overly large SETTINGS frames (CVE-2020-11080)
Summary: <net-libs/nghttp2-1.41.0: denial of service via overly large SETTINGS frames ...
Status: RESOLVED FIXED
Alias: CVE-2020-11080
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nghttp2.org/blog/2020/06/02/n...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-02 20:26 UTC by Jeroen Roovers (RETIRED)
Modified: 2020-07-27 20:37 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/nghttp2-1.41.0
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2020-06-02 20:26:36 UTC 
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr

Impact
The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client
constructing a SETTINGS frame with a length of 14,400 bytes (2400
individual settings entries) over and over again. The attack
causes the CPU to spike at 100%.

Patches
nghttp2 v1.41.0 fixes this vulnerability.
Comment 1 Larry the Git Cow gentoo-dev 2020-06-02 20:45:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83969940dab82d3e44003f659eaec0a4668bcb45

commit 83969940dab82d3e44003f659eaec0a4668bcb45
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-02 20:45:07 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-02 20:45:19 +0000

    net-libs/nghttp2: Security bump to version 1.41.0
    
    Bug: https://bugs.gentoo.org/726834
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-libs/nghttp2/Manifest              |  1 +
 net-libs/nghttp2/nghttp2-1.41.0.ebuild | 77 ++++++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2020-06-03 09:22:54 UTC 
s390 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-06-03 10:27:45 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-03 15:11:21 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-03 15:13:57 UTC 
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-03 15:16:06 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-03 15:18:18 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-03 15:27:59 UTC 
sparc stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-07 21:04:18 UTC 
arm64 stable

----
@maintainer(s), please cleanup
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 02:14:17 UTC 
ping
Comment 11 Larry the Git Cow gentoo-dev 2020-06-20 11:21:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3707631c00f4838f95dcedc2c64c622390a6a888

commit 3707631c00f4838f95dcedc2c64c622390a6a888
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-20 11:21:37 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-20 11:21:45 +0000

    net-libs/nghttp2: Security cleanup
    
    Bug: https://bugs.gentoo.org/726834
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-libs/nghttp2/Manifest              |  1 -
 net-libs/nghttp2/nghttp2-1.40.0.ebuild | 77 ----------------------------------
 2 files changed, 78 deletions(-)
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 12:46:20 UTC 
Thanka!