Updated nghttp2 packages fix security vulnerabilities

The updated packages fix security vulnerabilities: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple stream...

MGASA-2019-0291 Updated nghttp2 packages fix security vulnerabilities

The updated packages fix security vulnerabilities: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple stream...

SUSE SLED15 / SLES15 Security Update : nghttp2 (SUSE-SU-2019:2473-1) (Data Dribble) (Resource Loop)

This update for nghttp2 fixes the following issues : Security issues fixed : CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service bsc1146184. CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size...

Important: Red Hat Security Advisory: OpenShift Container Platform 4.1.18 gRPC security update

An update for gRPC, included in sriov-network-device-plugin-container, is now available for Red Hat OpenShift Container Platform 4.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a...

CVE-2019-10082

In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown...

CVE-2019-10082

In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown...

F5 Networks BIG-IP : HTTP/2 Reset Flood vulnerability (K01988340)

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RSTSTREAM frames from the peer. Depending on how the peer queues the...

F5 Networks BIG-IP : HTTP/2 Ping Flood vulnerability (K98053339)

The version of F5 Networks BIG-IP installed on the remote host is prior to 11.6.5.1 / 12.1.5.1 / 13.1.3.2 / 14.0.1.1 / 14.1.2.1 / 15.0.1.1 / 15.1.0. It is, therefore, affected by a vulnerability as referenced in the K98053339 advisory. Some HTTP/2 implementations are vulnerable to ping floods,...

F5 Networks BIG-IP : HTTP/2 Settings Flood vulnerability (K50233772)

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost...

RHEL 7 : OpenShift Container Platform 3.11 (RHSA-2019:2817)

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2019:2817 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or privat...

EulerOS 2.0 SP5 : golang (EulerOS-SA-2019-1967)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an...

RHEL 8 : nginx:1.14 (RHSA-2019:2799)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2799 advisory. Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 Post Office Protocol 3 and IMAP protocols, with a focus on high...

Oracle Linux 8 : nginx:1.14 (ELSA-2019-2799)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-2799 advisory. - Resolves: 1744811 - CVE-2019-9511 nginx:1.14/nginx: HTTP/2: large amount of data request leads to denial of service - Resolves: 1744325 - CVE-2019-95...

Important: Red Hat Security Advisory: nginx:1.14 security update

An update for the nginx:1.14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Important: Red Hat Security Advisory: skydive security update

An update for skydive is now available for Red Hat OpenStack Platform 14.0 Rocky. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

HTTP/2: flood using SETTINGS frames results in unbounded memory growth

A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability...

Oracle Linux 8 : go-toolset:rhel8 (ELSA-2019-2726)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-2726 advisory. - Fixes CVE-2019-9512. - Fixes CVE-2019-9514. Tenable has extracted the preceding description block directly from the Oracle Linux security advisory...

Ubuntu 18.04 LTS : Tomcat vulnerabilities (USN-4128-2)

The remote Ubuntu 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4128-2 advisory. It was discovered that the Tomcat 9 SSI printenv command echoed user provided data without escaping it. An attacker could possibly use this issue to...

USN-4128-2: Tomcat vulnerabilities

It was discovered that the Tomcat 9 SSI printenv command echoed user provided data without escaping it. An attacker could possibly use this issue to perform an XSS attack. CVE-2019-0221 It was discovered that Tomcat 9 did not address HTTP/2 connection window exhaustion on write while addressing...

Ubuntu: Security Advisory (USN-4113-2)

The remote host is missing an update for the SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...