Oracle Linux 9 : git-lfs (ELSA-2024-2724)

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-2724 advisory. 3.4.1-2 - Rebuild with new Golang - Resolves: RHEL-32570, RHEL-28385, RHEL-28402, RHEL-28432 Tenable has extracted the preceding description block...

SUSE: Security Advisory (SUSE-SU-2024:1345-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

thunderbird security update

An update is available for thunderbird. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Mozilla Thunderbird is a standalone mail and newsgroup client. This updat...

RLSA-2024:1939 Low: thunderbird security update

Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.10.0. Security Fixes: Mozilla: Denial of Service using HTTP/2 CONTINUATION frames CVE-2024-3302 For more details about the security issues, including the impact, a CVSS score,...

varnish security update

An update is available for module.varnish, varnish-modules, varnish, module.varnish-modules. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Varnish Cache is a...

RLSA-2024:1822 Moderate: java-11-openjdk security update

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fixes: OpenJDK: long Exception message leading to crash 8319851 CVE-2024-21011 OpenJDK: integer overflow in C1 compiler address generation 8322122 CVE-2024-21068...

RLSA-2024:1828 Moderate: java-21-openjdk security update

The java-21-openjdk packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit. Security Fixes: OpenJDK: long Exception message leading to crash 8319851 CVE-2024-21011 OpenJDK: integer overflow in C1 compiler address generation 8322122 CVE-2024-21068...

java-21-openjdk security update

An update is available for java-21-openjdk. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The java-21-openjdk packages provide the OpenJDK 21 Java Runtime...

Oracle Linux 9 : mod_http2 (ELSA-2024-2368)

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-2368 advisory. 2.0.26-1 - Resolves: RHEL-14691 - modhttp2 rebase to 2.0.26 Tenable has extracted the preceding description block directly from the Oracle Linux securi...

Rocky Linux 8 : thunderbird (RLSA-2024:1939)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2024:1939 advisory. - There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the...

CentOS 8 : thunderbird (CESA-2024:1939)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2024:1939 advisory. - The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This...

RHEL 9 : varnish (RHSA-2024:2700)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:2700 advisory. Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and ov...

Rocky Linux 8 : go-toolset:rhel8 (RLSA-2024:1962)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2024:1962 advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK stat...

Rocky Linux 8 : varnish (RLSA-2024:1690)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2024:1690 advisory. - Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 and before 6.0.13 LTS, and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2...

Rocky Linux 8 : httpd:2.4/mod_http2 (RLSA-2024:1786)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2024:1786 advisory. - HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not sto...

Important: mod_http2

Issue Overview: HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. CVE-2024-27316 Affected Packages: modhttp2 Issue Correction: Run dnf...

ROS-20240503-02

Vulnerability of HTTP/2 protocol implementation is related to the possibility of forming a stream of requests within an already established network connection without opening new network connections and without confirming receipt of requests. The vulnerability of the HTTP/2 protocol implementatio...

Important: nodejs

Issue Overview: An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the...

golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS

A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service DoS attack...

RHCOS 4 : OpenShift Container Platform 4.12.56 (RHSA-2024:1899)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:1899 advisory. - golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS CVE-2023-45288 Note that Nessus has not tested for this...