Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 919882 (CVE-2023-41337, CVE-2023-50247) - www-servers/h2o: multiple vulnerabilities
Summary: www-servers/h2o: multiple vulnerabilities
Alias: CVE-2023-41337, CVE-2023-50247
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [upstream/ebuild]
Depends on:
Reported: 2023-12-14 14:44 UTC by Christopher Fore
Modified: 2023-12-22 02:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2023-12-14 14:44:16 UTC
CVE-2023-41337 (

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. (Shortened for brevity)

CVE-2023-50247 (

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The QUIC stack (quicly), as used by H2O up to commit 43f86e5 (in version 2.3.0-beta and prior), is susceptible to a state exhaustion attack. When H2O is serving HTTP/3, a remote attacker can exploit this vulnerability to progressively increase the memory retained by the QUIC stack. This can eventually cause H2O to abort due to memory exhaustion. The vulnerability has been resolved in commit d67e81d03be12a9d53dc8271af6530f40164cd35. HTTP/1 and HTTP/2 are not affected by this vulnerability as they do not use QUIC. Administrators looking to mitigate this issue without upgrading can disable HTTP/3 support.

The above will likely be fixed in 2.3.0.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-22 02:07:29 UTC
No upstream release with a fix while patches exist -> upstream/ebuild since we're waiting for a release but the maintainer could also backport the patches (in theory).