Lucene search
Debian Security Bug TrackerDEBIANCVE:CVE-2023-45288HistoryApr 04, 2024 - 9:15 p.m.
CVE-2023-45288
2024-04-0421:15:16
Debian Security Bug Tracker
security-tracker.debian.org
28
http/2 endpoint
header data
excessive frames
huffman-encoded data
cve-2023-45288
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request’s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 10 | all | golang-1.11 | <= 1.11.6-1+deb10u4 | golang-1.11_1.11.6-1+deb10u4_all.deb |
| Debian | 11 | all | golang-1.15 | <= 1.15.15-1~deb11u4 | golang-1.15_1.15.15-1~deb11u4_all.deb |
| Debian | 12 | all | golang-1.19 | <= 1.19.8-2 | golang-1.19_1.19.8-2_all.deb |
| Debian | 999 | all | golang-1.21 | < 1.21.9-1 | golang-1.21_1.21.9-1_all.deb |
| Debian | 13 | all | golang-1.21 | < 1.21.9-1 | golang-1.21_1.21.9-1_all.deb |
| Debian | 999 | all | golang-1.22 | < 1.22.2-1 | golang-1.22_1.22.2-1_all.deb |
| Debian | 13 | all | golang-1.22 | < 1.22.2-1 | golang-1.22_1.22.2-1_all.deb |
| Debian | 12 | all | golang-golang-x-net | <= 1:0.7.0+dfsg-1 | golang-golang-x-net_1:0.7.0+dfsg-1_all.deb |
| Debian | 11 | all | golang-golang-x-net | <= 1:0.0+git20210119.5f4716e+dfsg-4 | golang-golang-x-net_1:0.0+git20210119.5f4716e+dfsg-4_all.deb |
| Debian | 999 | all | golang-golang-x-net | < 1:0.23.0+dfsg-1 | golang-golang-x-net_1:0.23.0+dfsg-1_all.deb |
Related
nessus
nessus
SUSE SLES12 Security Update : go1.22 (SUSE-SU-2024:1160-1)
2024-04-09 00:00:00
FreeBSD : forgejo -- HTTP/2 CONTINUATION flood in net/http (c092be0e-f7cc-11ee-aa6b-b42e991fc52e)
2024-04-11 00:00:00
RHEL 7 : rhc-worker-script (RHSA-2024:2625)
2024-04-30 00:00:00
veracode
veracode
Denial Of Service (DOS)
2024-04-05 07:19:44
redhat
redhat
osv
osv
Traefik affected by HTTP/2 CONTINUATION flood in net/http
2024-04-15 18:14:51
Important: git-lfs security update
2024-05-09 18:50:42
net/http, x/net/http2: close connections when receiving too many headers
2024-04-04 21:30:32
cve
cve
CVE-2023-45288
2024-04-04 21:15:16
cvelist
cvelist
CVE-2023-45288 HTTP/2 CONTINUATION flood in net/http
2024-04-04 20:37:30
almalinux
almalinux
Important: go-toolset:rhel8 security update
2024-04-23 00:00:00
Important: golang security update
2024-04-23 00:00:00
Important: git-lfs security update
2024-04-29 00:00:00
freebsd
freebsd
go -- http2: close connections when receiving too many headers
2024-04-03 00:00:00
forgejo -- HTTP/2 CONTINUATION flood in net/http
2024-04-04 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-45288 affecting package kubevirt for versions less than 0.59.0-16
2024-05-14 05:06:12
CVE-2023-45288 affecting package git-lfs for versions less than 3.5.1-1
2024-04-30 01:31:53
CVE-2023-45288 affecting package kubernetes for versions less than 1.28.4-7
2024-05-14 05:06:12
ibm
ibm
Security Bulletin: IBM Storage Fusion is vulnerable to denial of service due to Golang Go's net/http and x/net/http2.
2024-05-11 16:53:43
rocky
rocky
git-lfs security update
2024-05-09 18:50:42
go-toolset:rhel8 security update
2024-05-06 13:04:21
git-lfs security update
2024-05-10 14:32:42
redhatcve
redhatcve
CVE-2023-45288
2024-04-03 20:53:54
alpinelinux
alpinelinux
CVE-2023-45288
2024-04-04 21:15:16
github
github
net/http, x/net/http2: close connections when receiving too many headers
2024-04-04 21:30:32
Traefik affected by HTTP/2 CONTINUATION flood in net/http
2024-04-15 18:14:51
oraclelinux
oraclelinux
golang security update
2024-04-23 00:00:00
go-toolset:ol8 security update
2024-04-23 00:00:00
git-lfs security update
2024-05-08 00:00:00
mageia
mageia
Updated golang packages fix security vulnerability
2024-04-13 19:56:38
openvas
openvas
openSUSE: Security Advisory for go1.22 (SUSE-SU-2024:1121-1)
2024-04-09 00:00:00
Mageia: Security Advisory (MGASA-2024-0128)
2024-04-15 00:00:00
SUSE: Security Advisory (SUSE-SU-2024:1122-1)
2024-05-07 00:00:00
ubuntucve
ubuntucve
CVE-2023-45288
2024-03-27 00:00:00
cgr
cgr
CVE-2023-45288 vulnerabilities
2024-05-19 03:07:16
githubexploit
githubexploit
Exploit for CVE-2023-45288
2024-04-06 06:33:45
wolfi
wolfi
CVE-2023-45288 vulnerabilities
2024-05-28 21:07:31
fedora
fedora
[SECURITY] Fedora 40 Update: kubernetes-1.29.4-1.fc40
2024-04-25 01:01:14
redos
redos
ROS-20240422-05
2024-04-22 00:00:00
arista
arista
Security Advisory 0094
2024-04-05 00:00:00
thn
thn
New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks
2024-04-04 11:15:00
cert
cert
HTTP/2 CONTINUATION frames can be utilized for DoS attacks
2024-04-03 00:00:00