4431 matches found
[SECURITY] [DSA 4511-1] nghttp2 security update
------------------------------------------------------------------------- Debian Security Advisory DSA-4511-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff September 01, 2019 https://www.debian.org/security/faq -...
Ubuntu 16.04 LTS / 18.04 LTS : Apache HTTP Server vulnerabilities (USN-4113-1)
The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4113-1 advisory. Stefan Eissing discovered that the HTTP/2 implementation in Apache did not properly handle upgrade requests from HTTP/1.1 to HTTP/2 in some...
SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2019:2254-1) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)
This update for nodejs10 to version 10.16.3 fixes the following issues : Security issues fixed : CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service bsc1146091. CVE-2019-9512...
Ubuntu: Security Advisory (USN-4113-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
USN-4113-1: Apache HTTP Server vulnerabilities
Stefan Eissing discovered that the HTTP/2 implementation in Apache did not properly handle upgrade requests from HTTP/1.1 to HTTP/2 in some situations. A remote attacker could use this to cause a denial of service daemon crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04...
Fedora Update for nghttp2 FEDORA-2019-8a437d5c2f
The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2019:2237-1) (Internal Data Buffering)
This update for apache2 fixes the following issues : Security issues fixed : CVE-2019-9517: Fixed HTTP/2 implementations that are vulnerable to unconstrained interal data buffering bsc1145575. CVE-2019-10081: Fixed modhttp2 that is vulnerable to memory corruption on early pushes bsc1145742...
UPDATE: Merlin v0.8.0
PenTestIT RSS Feed A week ago an update - Merlin v0.8.0 was released. There was a brief mention about Merlin in my post titled - List of Open Source C2 Post-Exploitation Frameworks. This new version includes several new features to increase Operations Security OPSEC and usability. One of the more...
SUSE-SU-2019:2237-1 Security update for apache2
This update for apache2 fixes the following issues: Security issues fixed: - CVE-2019-9517: Fixed HTTP/2 implementations that are vulnerable to unconstrained interal data buffering bsc1145575. - CVE-2019-10081: Fixed modhttp2 that is vulnerable to memory corruption on early pushes bsc1145742. -...
Amazon Linux AMI : golang (ALAS-2019-1270) (Ping Flood) (Reset Flood)
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname nor Port, and is related to a non-numeric port number. For example, an...
Apache Tomcat DoS Vulnerability (Jun 2019) - Linux
Apache Tomcat is prone to a denial of service vulnerability. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat"; if...
Amazon Linux 2 : golang (ALAS-2019-1272) (Ping Flood) (Reset Flood)
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU,...
[SECURITY] Fedora 29 Update: nghttp2-1.39.2-1.fc29
This package contains the HTTP/2 client, server and proxy programs...
Debian DSA-4508-1 : h2o - security update (Ping Flood) (Reset Flood) (Settings Flood)
Three vulnerabilities were discovered in the HTTP/2 code of the H2O HTTP server, which could result in denial of service. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Debian Security Advisory DSA-4508. The text itself is copyright C...
Debian: Security Advisory (DSA-4508-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
The vulnerability of the HTTP/2 network protocol implementation in Windows operating systems, Nginx servers, and Node.js software platforms allows a attacker to cause a service failure.
The vulnerability of the HTTP/2 network protocol implementation in Windows operating systems, Nginx servers, and Node.js software platforms is related to an uncontrolled resource consumption. Exploiting this vulnerability can allow a malicious actor to cause service failures remotely...
nginx 1.9.5 - 1.17.2 HTTP/2 Multiple DoS Vulnerabilities
nginx is prone to multiple denial of service DoS vulnerabilities in the HTTP/2 implementation. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...
Debian DSA-4509-1 : apache2 - security update (Internal Data Buffering)
Several vulnerabilities have been found in the Apache HTTPD server. - CVE-2019-9517 Jonathan Looney reported that a malicious client could perform a denial of service attack exhausting h2 workers by flooding a connection with requests and basically never reading responses on the TCP connection. -...
[ASA-201908-17] libnghttp2: denial of service
Arch Linux Security Advisory ASA-201908-17 ========================================== Severity: Medium Date : 2019-08-27 CVE-ID : CVE-2019-9511 CVE-2019-9513 Package : libnghttp2 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1024 Summary ======= The package...
FreeBSD : h2o -- multiple HTTP/2 vulnerabilities (72a5579e-c765-11e9-8052-0028f8d09152) (Ping Flood) (Reset Flood) (Settings Flood)
Jonathon Loomey of Netflix reports : HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following : -...