Opened 7 months ago

Closed 7 months ago

#18697 closed enhancement (fixed)

nghttp2-1.57.0

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.1
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New minor version

Change History (5)

comment:1 by Xi Ruoyao, 7 months ago

Priority: normalelevated

What's Changed

  • Fixes CVE-2023-44487
  • Bump ngtcp2 by @tatsuhiro-t in #1944
  • Add dependabot to update actions by @tatsuhiro-t in #1946
  • Bump golang.org/x/net to v0.15.0 by @tatsuhiro-t in #1950
  • Bump actions/setup-go from 3 to 4 by @dependabot in #1948
  • Bump actions/checkout from 3 to 4 by @dependabot in #1949
  • Bump actions/upload-artifact from 1 to 3 by @dependabot in #1947
  • docker: Bump base image to debian 12 by @tatsuhiro-t in #1951
  • nghttpx: Header field name must be lowercase by @tatsuhiro-t in #1953
  • Bump quictls by @tatsuhiro-t in #1945
  • Apps fix by @tatsuhiro-t in #1957
  • nghttpx: Fix bug that --single-process does not work by @tatsuhiro-t in #1958
  • Fix clang-format by @tatsuhiro-t in #1959
  • Rework session management by @tatsuhiro-t in #1961

comment:2 by Xi Ruoyao, 7 months ago

CVE-2023-44487: HTTP/2 Rapid Reset

Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service.

IIUC it affects many HTTP/2 servers in practice. Upgrading nghttp2 will only fix the issue for the servers implemented with nghttp2.

comment:3 by Xi Ruoyao, 7 months ago

It seems apache contains a pre-caution for the issue, but I'm not sure if the nghttp2 update is also needed for a server using nghttp2 via apache for HTTP/2.

comment:4 by Douglas R. Reno, 7 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:5 by Douglas R. Reno, 7 months ago

Resolution: fixed
Status: assignedclosed

Fixed at a47c324983d278f54cb00f294b5e5fedf2d4c645

SA-12.0-022 issued

Note: See TracTickets for help on using tickets.