CLSA-2024-1712836996 Fix CVE(s): CVE-2024-2398

SECURITY UPDATE: http2: push headers better cleanup - debian/patches/CVE-2024-2398.patch: provide common cleanup method for push headers - CVE-2024-2398...

CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

SUSE CVE-2023-45288

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

SUSE CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

AZL-38158 CVE-2023-45288 affecting package application-gateway-kubernetes-ingress for versions less than 1.7.7-1

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-39334 CVE-2023-45288 affecting package cert-manager for versions less than 1.11.2-9

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-38281 CVE-2023-45288 affecting package etcd for versions less than 3.5.18-1

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-39463 CVE-2023-45288 affecting package skopeo for versions less than 1.14.2-3

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-40012 CVE-2024-27316 affecting package httpd for versions less than 2.4.59-1

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion...

AZL-40001 CVE-2024-27316 affecting package httpd for versions less than 2.4.61-1

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion...

OESA-2024-1335 cri-o security update

Open Container Initiative-based implementation of Kubernetes Container Runtime Interface. Security Fixes: A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.CVE-2022-41723...

ROS-20240329-10

Vulnerability of http2 package of Go programming language is related to uncontrolled server resources consumption as a result of resetting Server.MaxConcurrentStreams parameter during request stream processing. as a result of resetting the Server.MaxConcurrentStreams parameter when processing a...

SUSE CVE-2024-30156

Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 and before 6.0.13 LTS, and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack...

Varnish Cache 安全漏洞

Varnish Cache is a suite of reverse web caching servers. A security vulnerability exists in Varnish Cache versions prior to 7.3.2 and 7.4.x prior to 7.4.3 and Varnish Enterprise versions prior to 6.0.12r6, which stems from a credit exhaustion that allows HTTP/2 connections to control the flow...

SUSE-SU-2024:0817-1 Security update for jetty-minimal

This update for jetty-minimal fixes the following issues: - CVE-2024-22201: Fixed denial-of-service via HTTP/2 connection leak bsc1220437...

Fedora 39 : suricata (2024-bd4eed8466)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-bd4eed8466 advisory. This update fixes: CVE-2024-23835, CVE-2024-23836, CVE-2024-23837, CVE-2024-23839, CVE-2024-24568. Tenable has extracted the preceding description...

Fedora 39 : golang-github-tdewolff-argp / golang-github-tdewolff-minify / etc (2024-c3e32c5635)

The remote Fedora 39 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2024-c3e32c5635 advisory. Update to latest version Security fix for CVE-2023-39325 Tenable has extracted the preceding description block directly from the Fedora security advisory. No...

BIT-ENVOY-2021-29258

An issue was discovered in Envoy 1.14.0. There is a remotely exploitable crash for HTTP2 Metadata, because an empty METADATA map triggers a Reachable Assertion...

BIT-GOLANG-2023-39325 HTTP/2 rapid reset can cause excessive work in net/http

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

PT-2024-2621

Name of the Vulnerable Software and Affected Versions net/http and net/http2 in Go affected versions not specified Description An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires...