SUSE SLED15 / SLES15 Security Update : go1.11 (SUSE-SU-2019:2213-1) (Ping Flood) (Reset Flood)

This update for go1.11 fixes the following issues : Security issues fixed : CVE-2019-9512: Fixed HTTP/2 flood using PING frames that results in unbounded memory growth bsc1146111. CVE-2019-9514: Fixed HTTP/2 implementation that is vulnerable to a reset flood, potentially leading to a denial of...

openSUSE Security Update : go1.12 (openSUSE-2019-2000) (Ping Flood) (Reset Flood)

This update for go1.12 fixes the following issues : Security issues fixed : - CVE-2019-9512: Fixed HTTP/2 flood using PING frames that results in unbounded memory growth. bsc1146111 - CVE-2019-9514: Fixed HTTP/2 implementation is vulnerable to a reset flood, potentially leading to a denial of...

SUSE SLED15 / SLES15 Security Update : go1.12 (SUSE-SU-2019:2214-1) (Ping Flood) (Reset Flood)

This update for go1.12 fixes the following issues : Security issues fixed : CVE-2019-9512: Fixed HTTP/2 flood using PING frames that results in unbounded memory growth bsc1146111. CVE-2019-9514: Fixed HTTP/2 implementation that is vulnerable to a reset flood, potentially leading to a denial of...

FreeBSD : h2o -- multiple HTTP/2 vulnerabilities (73b1e734-c74e-11e9-8052-0028f8d09152) (Ping Flood) (Reset Flood) (Settings Flood)

Jonathon Loomey of Netflix reports : HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following : -...

OPENSUSE-SU-2019:2000-1 Security update for go1.12

This update for go1.12 fixes the following issues: Security issues fixed: - CVE-2019-9512: Fixed HTTP/2 flood using PING frames that results in unbounded memory growth. bsc1146111 - CVE-2019-9514: Fixed HTTP/2 implementation is vulnerable to a reset flood, potentially leading to a denial of...

[ASA-201908-15] go: multiple issues

Arch Linux Security Advisory ASA-201908-15 ========================================== Severity: Medium Date : 2019-08-24 CVE-ID : CVE-2019-9512 CVE-2019-9514 CVE-2019-14809 Package : go Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1021 Summary ======= The package ...

Security update for go1.12 (important)

openSUSE Security Update: Security update for go1.12 Announcement ID: openSUSE-SU-2019:2000-1 Rating: important References: 1139210 1141689 1146111 1146115 1146123 Cross-References: CVE-2019-14809 CVE-2019-9512 CVE-2019-9514 Affected Products: openSUSE Leap 15.1 An update that solves three...

Debian: Security Advisory (DSA-4505-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[ASA-201908-16] go-pie: multiple issues

Arch Linux Security Advisory ASA-201908-16 ========================================== Severity: Medium Date : 2019-08-24 CVE-ID : CVE-2019-9512 CVE-2019-9514 CVE-2019-14809 Package : go-pie Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1020 Summary ======= The...

[SECURITY] Fedora 30 Update: nghttp2-1.39.2-1.fc30

This package contains the HTTP/2 client, server and proxy programs...

Important: golang

Issue Overview: net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname nor Port, and is related to a non-numeric port number. For...

Debian DSA-4505-1 : nginx - security update (0-Length Headers Leak) (Data Dribble) (Resource Loop)

Three vulnerabilities were discovered in the HTTP/2 code of Nginx, a high-performance web and reverse proxy server, which could result in denial of service. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Debian Security Advisory DSA-450...

Fedora Update for nghttp2 FEDORA-2019-81985a8858

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Important: golang

Issue Overview: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume...

[SECURITY] [DSA 4505-1] nginx security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4505-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 22, 2019 https://www.debian.org/security/faq -...

Internet Bug Bounty: mod_http2, memory corruption on early pushes (CVE-2019-10081)

HTTP/2 very early pushes, for example configured with H2PushResource, could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. Scenarios where an attacker may be ab...

FreeBSD : Apache -- Multiple vulnerabilities (caf545f2-c0d9-11e9-9051-4c72b94353b5) (Internal Data Buffering)

SO-AND-SO reports : SECURITY: CVE-2019-10081 modhttp2: HTTP/2 very early pushes, for example configured with 'H2PushResource', could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data...

FreeBSD : nghttp2 -- multiple vulnerabilities (121fec01-c042-11e9-a73f-b36f5969f162) (Data Dribble) (Resource Loop)

nghttp2 GitHub releases : This release fixes CVE-2019-9511 'Data Dribble' and CVE-2019-9513 'Resource Loop' vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out...

Ubuntu 16.04 LTS / 18.04 LTS : nginx vulnerabilities (USN-4099-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4099-1 advisory. Jonathan Looney discovered that nginx incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to consu...

Debian: Security Advisory (DSA-4503-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...