https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr Impact The overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. Patches nghttp2 v1.41.0 fixes this vulnerability.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83969940dab82d3e44003f659eaec0a4668bcb45 commit 83969940dab82d3e44003f659eaec0a4668bcb45 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-02 20:45:07 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-02 20:45:19 +0000 net-libs/nghttp2: Security bump to version 1.41.0 Bug: https://bugs.gentoo.org/726834 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-libs/nghttp2/Manifest | 1 + net-libs/nghttp2/nghttp2-1.41.0.ebuild | 77 ++++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+)
s390 stable
x86 stable
amd64 stable
arm stable
ppc stable
ppc64 stable
sparc stable
arm64 stable ---- @maintainer(s), please cleanup
ping
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3707631c00f4838f95dcedc2c64c622390a6a888 commit 3707631c00f4838f95dcedc2c64c622390a6a888 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-20 11:21:37 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-20 11:21:45 +0000 net-libs/nghttp2: Security cleanup Bug: https://bugs.gentoo.org/726834 Package-Manager: Portage-2.3.101, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-libs/nghttp2/Manifest | 1 - net-libs/nghttp2/nghttp2-1.40.0.ebuild | 77 ---------------------------------- 2 files changed, 78 deletions(-)
Thanka!