Lucene search

K
mageiaGentoo FoundationMGASA-2024-0135
HistoryApr 17, 2024 - 5:13 a.m.

Updated nghttp2 packages fix security vulnerability

2024-04-1705:13:57
Gentoo Foundation
advisories.mageia.org
15
nghttp2
security vulnerability
excessive cpu usage
http/2
continuation frames
hpack context
update
release
unix

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.2%

nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. This update fixes the issue. This is the latest release, which will bring some more fixes and improvements.

OSVersionArchitecturePackageVersionFilename
Mageia9noarchnghttp2< 1.61.0-1nghttp2-1.61.0-1.mga9

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.2%