ROS-20240402-08

Vulnerability of HTTP/2 protocol implementation is related to the possibility of forming a stream of requests within an already established network connection without opening new network connections and without confirming receipt of requests. The vulnerability of the HTTP/2 protocol implementatio...

ROS-20240402-07

Vulnerability of HTTP/2 protocol implementation is related to the possibility of forming a stream of requests within an already established network connection without opening new network connections and without confirming receipt of requests. The vulnerability of the HTTP/2 protocol implementatio...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2023-44487)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Internet Bug Bounty: CVE-2024-2398: HTTP/2 push headers memory-leak

A memory leak was found in libcurl when handling HTTP/2 push headers. The vulnerability was caused by libcurl's failure to properly release the allocated memory when aborting a server push due to the maximum allowed limit being exceeded. This could lead to denial of service due to memory exhausti...

MGASA-2024-0099 Updated curl packages fix security vulnerabilities

CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak A memory leak coul...

Updated curl packages fix security vulnerabilities

CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak A memory leak coul...

Curl 7.44.0 < 8.7.0 HTTP/2 Push Headers Memory-leak (CVE-2024-2398)

The version of Curl installed on the remote host is between 7.44.0 and prior to 8.7.0. It is, therefore, affected by a memory-leak vulnerability. When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed...

Atlassian Confluence < 7.19.20 / 7.20.x < 8.5.7 (CONFSERVER-94843)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-94843 advisory. - Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, a...

Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open Source Software (OSS) components

Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Planning Analytics Workspace. IBM Planning Analytics Workspace 2.0 Release 94 has addressed the applicable CVEs by upgrading or removing the vulnerable libraries. Please refer to the table in the...

Ubuntu: Security Advisory (USN-6718-2)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Slackware: Security Advisory (SSA:2024-087-01)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[slackware-security] curl

New curl packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/curl-8.7.1-i586-1slack15.0.txz: Upgraded. This release fixes the following security issues: TLS certificate check bypass with mbedTLS...

USN-6718-1: curl vulnerabilities

Dan Fandrich discovered that curl would incorrectly use the default set of protocols when a parameter option disabled all protocols without adding any, contrary to expectations. This issue only affected Ubuntu 23.10. CVE-2024-2004 It was discovered that curl incorrectly handled memory when limiti...

CVE-2024-2398

A flaw was found in curl. When an application configures libcurl to use HTTP/2 server push and the amount of received headers for the push surpasses the maximum allowed limit, libcurl aborts the server push. When aborting, libcurl does not free all the previously allocated headers, resulting in a...

CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit 1000, libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead lea...

AZL-37069 CVE-2024-2398 affecting package cmake for versions less than 3.21.4-14

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit 1000, libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead lea...

CURL-CVE-2024-2398 HTTP/2 push headers memory-leak

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit 1000, libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead lea...

CVE-2024-2398

CVE-2024-2398 affects curl/libcurl: when an application enables HTTP/2 server push and the received push headers exceed a limit (1000), libcurl aborts the server push and leaks previously allocated headers, causing memory leaks and a silent condition that can be hard to detect. The CVSS in the en...

CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit 1000, libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead lea...

CVE-2024-2398 HTTP/2 push headers memory-leak

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit 1000, libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead lea...