915553 – (CVE-2023-44487) [Tracker] HTTP/2 Rapid Reset vulnerability

Bug 915553 (CVE-2023-44487) - [Tracker] HTTP/2 Rapid Reset vulnerability

Summary: [Tracker] HTTP/2 Rapid Reset vulnerability

Status:	CONFIRMED

Alias:	CVE-2023-44487

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.cve.org/CVERecord?id=CVE-...
Whiteboard:	A3
Keywords:	Tracker

Depends on:	915554 915567 CVE-2023-42794, CVE-2023-42795, CVE-2023-45648 CVE-2023-31122, CVE-2023-43622, CVE-2023-45802 916038 CVE-2023-38552, CVE-2023-39331, CVE-2023-39332, CVE-2023-39333, CVE-2023-45143 917614 918413 918415 918418 918419 CVE-2023-3462, CVE-2023-4680, CVE-2023-5077 CVE-2023-39325 CVE-2023-36478, CVE-2023-39151, CVE-2023-43494, CVE-2023-43495, CVE-2023-43496, CVE-2023-43497, CVE-2023-43498
Blocks:
	Show dependency tree

Reported:	2023-10-10 16:52 UTC by Hans de Graaff
Modified:	2023-11-24 19:17 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hans de Graaff gentoo-dev

2023-10-10 16:52:03 UTC

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.