Opened 2 years ago

Closed 2 years ago

#12401 closed enhancement (fixed)

nghttp2-1.39.2

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Change History (4)

comment:1 by Douglas R. Reno, 2 years ago

Summary: nghttp2-1.39.1nghttp2-1.39.2

Set the right version

comment:2 by Douglas R. Reno, 2 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 2 years ago

Priority: normalhigh
This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
“Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

    Fix CVE-2019-9511 and CVE-2019-9513
    Add nghttp2_option_set_max_outbound_ack API function
    nghttpx: Fix request stall

comment:4 by Douglas R. Reno, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r21966

Note: See TracTickets for help on using tickets.