The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Please add nghttp2-1.57.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5788abe47326ee17b77c3e6649d980a1215b24a0 commit 5788abe47326ee17b77c3e6649d980a1215b24a0 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2023-10-11 12:34:33 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2023-10-11 12:34:33 +0000 net-libs/nghttp2: add 1.57.0 Closes: https://bugs.gentoo.org/915550 Bug: https://bugs.gentoo.org/915554 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-libs/nghttp2/Manifest | 1 + net-libs/nghttp2/nghttp2-1.57.0.ebuild | 58 ++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+)
I am quickly testing bumped version on my server - will open a stable request in a few hours if it looks OK
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=060dd1d5f79e1e19c5577a232d95d6b75f628c70 commit 060dd1d5f79e1e19c5577a232d95d6b75f628c70 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2023-11-30 07:58:50 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2023-11-30 07:58:50 +0000 net-libs/nghttp2: remove vulnerable versions Bug: https://bugs.gentoo.org/915554 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-libs/nghttp2/Manifest | 4 -- net-libs/nghttp2/nghttp2-1.51.0-r1.ebuild | 79 ------------------------------- net-libs/nghttp2/nghttp2-1.51.0.ebuild | 76 ----------------------------- net-libs/nghttp2/nghttp2-1.52.0.ebuild | 58 ----------------------- net-libs/nghttp2/nghttp2-9999.ebuild | 1 - 5 files changed, 218 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f6a7c4300d3b622f080cf1b26b0a342a160fb771 commit f6a7c4300d3b622f080cf1b26b0a342a160fb771 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-07 11:37:22 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-07 11:37:34 +0000 [ GLSA 202408-10 ] nghttp2: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/915554 Bug: https://bugs.gentoo.org/928541 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-10.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)