Security update for go1.14 (moderate)

openSUSE Security Update: Security update for go1.14 Announcement ID: openSUSE-SU-2020:2047-1 Rating: moderate References: 1164903 1178750 1178752 1178753 Cross-References: CVE-2020-28362 CVE-2020-28366 CVE-2020-28367 Affected Products: openSUSE Leap 15.1 An update that solves three vulnerabiliti...

Node.js: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion

Summary: Node.js http2 server is vulnerable against denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new...

httpd: memory corruption on early pushes

A vulnerability was found in Apache httpd, in modhttp2. Under certain circumstances, HTTP/2 early pushes could lead to memory corruption, causing a server to crash...

httpd: mod_http2 concurrent pool usage

A flaw was found in Apache httpd in versions 2.4.20 to 2.4.43. Logging using the wrong pool by modhttp2 at debug/trace log level may lead to potential crashes and denial of service. The highest threat from this vulnerability is to system availability...

Moderate: Red Hat Security Advisory: go-toolset-1.13-golang security and bug fix update

An update for go-toolset-1.13 and go-toolset-1.13-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is availabl...

H2Csmuggler - HTTP Request Smuggling Over HTTP/2 Cleartext (H2C)

h2cSmuggler smuggles HTTP traffic past insecure edge-server proxypass configurations by establishing HTTP/2 cleartext h2c communications with h2c-compatible back-end servers, allowing a bypass of proxy rules and access controls. See my detailed write-up below for: Technical breakdown of the...

CVE-2020-4581

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a chunked transfer-encoding HTTP/2 request. IBM X-Force ID: 184441...

SUSE-SU-2020:2450-1 Security update for apache2

This update for apache2 fixes the following issues: - CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request bsc1175071. - CVE-2020-11985: IP address spoofing when proxying using modremoteip and modrewrite bsc1175072. - CVE-2020-11993:...

Fedora: Security Advisory for mod_http2 (FEDORA-2020-b58dc5df38)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 31 Update: mod_http2-1.15.14-1.fc31

The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers...

Fedora: Security Advisory for mod_http2 (FEDORA-2020-8122a8daa2)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 32 Update: mod_http2-1.15.14-1.fc32

The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers...

PT-2020-5444 · Apache +6 · Apache Http Server +6

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions 2.4.20 through 2.4.43 Description: The issue is related to the implementation of the HTTP/2 mechanism in the Apache HTTP Server, which is associated with inconsistent interpretation of HTTP requests. This can allow...

HAProxy HTTP2 CRLF Injection (CVE-2019-19330)

A CRLF injection vulnerability exists in HAProxy HTTP2 module. Successful exploitation of this vulnerability could allow a remote attacker to damage users system...

HAProxy HTTP2 HPACK Remote Code Execution (CVE-2020-11100)

A remote code execution vulnerability exists in HAProxy. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system...

DEBIAN-CVE-2020-9494

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread...

HTTP/2: flood using PING frames results in unbounded memory growth

A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability...

httpd: read-after-free in h2 connection shutdown

A read-after-free vulnerability was discovered in Apache httpd, in modhttp2. A specially crafted http/2 client session could cause the server to read memory that was previously freed during connection shutdown, potentially leading to a crash...

haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes

A flaw was found in the way HAProxy processed certain HTTP/2 request packets. This flaw allows an attacker to send crafted HTTP/2 request packets, which cause memory corruption, leading to a crash or potential remote arbitrary code execution with the permissions of the user running HAProxy...

Security Bulletin: WebSphere Liberty susceptible to HTTP2 implementation vulnerabilities

Summary WebSphere Liberty susceptible to HTTP2 implementation vulnerabilities Vulnerability Details CVEID: CVE-2019-9515 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Settings Flood attack. By sending a stream of SETTINGS frames to the peer, a remote attacker...