Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574780 (CVE-2016-1544) - <net-libs/nghttp2-1.7.1: out of memory error due to unlimited incoming HTTP header fields
Summary: <net-libs/nghttp2-1.7.1: out of memory error due to unlimited incoming HTTP h...
Alias: CVE-2016-1544
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2016-02-15 13:03 UTC by Agostino Sarubbo
Modified: 2016-12-05 01:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-15 13:03:04 UTC
From ${URL} :

A vulnerability was found in a way nghttp2 processes incoming packets.
Nghttpd, nghttp, and libnghttp2_asio applications do not limit the
memory usage for the incoming HTTP header field. If peer sends
specially crafted HTTP/2 HEADERS frames and CONTINUATION frames, they
will crash with out of memory error.

Upstream report and fix:

@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-02-15 14:24:37 UTC
1.7.1 is fine to stabilize
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-17 07:13:17 UTC
Stable for HPPA PPC64.
Comment 3 Agostino Sarubbo gentoo-dev 2016-03-02 13:59:04 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-03-15 16:43:10 UTC
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-16 09:23:15 UTC
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-16 12:07:15 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-19 11:39:27 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-20 12:03:08 UTC
ia64 stable
Comment 9 SpanKY gentoo-dev 2016-05-06 15:49:30 UTC
done the rest now
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-21 15:10:51 UTC
@ Security: Waiting for GLSA/CVE...
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-05 00:26:46 UTC
New GLSA created.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-12-05 01:25:16 UTC
This issue was resolved and addressed in
 GLSA 201612-13 at
by GLSA coordinator Aaron Bauman (b-man).