CVE-2024-28182: An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.
It sounds like https://github.com/nghttp2/nghttp2/issues/2121 is the upstream tracker, release scheduled for today
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6243ef44ec96ae59f6fec2bbd4bb44f4ee61e436 commit 6243ef44ec96ae59f6fec2bbd4bb44f4ee61e436 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2024-04-04 12:07:47 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2024-04-04 12:07:58 +0000 net-libs/nghttp2: add 1.61.0 Bug: https://bugs.gentoo.org/928541 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-libs/nghttp2/Manifest | 1 + net-libs/nghttp2/nghttp2-1.61.0.ebuild | 61 ++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+)
Changes are minimal compared to 1.60.0, which worked fine for me, and no issues in quick testing here - I will open a stabling round for 1.61.0
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e15895318a1239158426b059ce8f1d60a62a7b0a commit e15895318a1239158426b059ce8f1d60a62a7b0a Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2024-04-29 07:13:10 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2024-04-29 07:13:10 +0000 net-libs/nghttp2: drop 1.57.0, 1.58.0, 1.59.0, 1.60.0 Bug: https://bugs.gentoo.org/928541 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-libs/nghttp2/Manifest | 4 --- net-libs/nghttp2/nghttp2-1.57.0.ebuild | 58 ---------------------------------- net-libs/nghttp2/nghttp2-1.58.0.ebuild | 58 ---------------------------------- net-libs/nghttp2/nghttp2-1.59.0.ebuild | 58 ---------------------------------- net-libs/nghttp2/nghttp2-1.60.0.ebuild | 56 -------------------------------- 5 files changed, 234 deletions(-)
