Headline
Gentoo Linux Security Advisory 202408-10
Gentoo Linux Security Advisory 202408-10 - Multiple vulnerabilities have been discovered in nghttp2, the worst of which could lead to a denial of service. Versions greater than or equal to 1.61.0 are affected.
Gentoo Linux Security Advisory GLSA 202408-10
https://security.gentoo.org/
Severity: Normal
Title: nghttp2: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #915554, #928541
ID: 202408-10
Synopsis
Multiple vulnerabilities have been discovered in nghttp2, the worst of
which could lead to a denial of service.
Background
Nghttp2 is an implementation of HTTP/2 and its header compression
algorithm HPACK in C.
Affected packages
Package Vulnerable Unaffected
net-libs/nghttp2 < 1.61.0 >= 1.61.0
Description
Multiple vulnerabilities have been discovered in nghttp2. Please review
the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All nghttp2 users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=net-libs/nghttp2-1.61.0”
References
[ 1 ] CVE-2023-44487
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
[ 2 ] CVE-2024-28182
https://nvd.nist.gov/vuln/detail/CVE-2024-28182
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-10
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Red Hat Security Advisory 2024-4824-03 - An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-4576-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-4252-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3875-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3763-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3701-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3544-03 - An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3501-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 6754-1 - It was discovered that nghttp2 incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that nghttp2 incorrectly handled request cancellation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Red Hat Security Advisory 2024-0273-03 - Red Hat OpenShift Virtualization release 4.12.9 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2023-6239-01 - An update is now available for Kiali for RHEL 8. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6079-01 - Red Hat Integration Camel for Spring Boot 3.20.3 release and security update is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5979-01 - Updated Satellite 6.12 packages that fixes important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-5978-01 - JBoss EAP XP 4.0.0.GA security release on the EAP 7.4.13 base is now available. See references for release notes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5841-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5783-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.5 serves as a replacement for Red Hat JBoss Web Server 5.7.4. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5766-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5522-2 - The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and caused a regression when using asynchronous I/O (the default for NIO and NIO2). DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated.
By Deeba Ahmed Google, Cloudflare, and AWS Disclosed Digital History’s Largest Ever DDoS Attack- Courtesy HTTP/2 Zero-day. This is a post from HackRead.com Read the original post: Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History