DEBIAN-CVE-2023-43622

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in...

AZL-45147 CVE-2023-45802 affecting package mod_http2 for versions less than 2.0.29-3

When a HTTP/2 stream was reset RST frame by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing...

Important: Red Hat Security Advisory: Logging Subsystem 5.7.7 - Red Hat OpenShift security update

Logging Subsystem 5.7.7 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the...

Amazon Linux 2 : runc (ALASNITRO-ENCLAVES-2023-032)

The version of runc installed on the remote host is prior to 1.1.7-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2NITRO-ENCLAVES-2023-032 advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many...

Amazon Linux 2 : docker (ALASDOCKER-2023-031)

The version of docker installed on the remote host is prior to 20.10.25-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2023-031 advisory. 2025-03-03: CVE-2023-29409 was added to this advisory. 2024-05-09: CVE-2022-41723 was added to this advisory...

Amazon Linux 2 : runc (ALASDOCKER-2023-033)

The version of runc installed on the remote host is prior to 1.1.7-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2DOCKER-2023-033 advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams...

CLSA-2023-1697742355 Fix CVE(s): CVE-2023-44487

SECURITY UPDATE: The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly - debian/patches/CVE-2023-44487.patch: HTTP/2 - per-iteration stream handling limit. - CVE-2023-44487...

HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...

Important: docker

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Templates did not properly consider backticks as Javascript string delimiters, and as such did not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contained a G...

Important: runc

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 Affected Packages: runc Note: This advisory is applicable to Amazon Linux...

RHEL 9 : grafana (RHSA-2023:5866)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:5866 advisory. Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fixes: HTTP/2: Multip...

Moderate: Red Hat Security Advisory: grafana security update

An update for grafana is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

Important: Red Hat Security Advisory: OpenShift Container Platform 4.13.17 bug fix and security update

Red Hat OpenShift Container Platform release 4.13.17 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a...

GHSA-9WMC-RG4H-28WV github.com/kumahq/kuma affected by CVE-2023-44487

Impact Envoy and Go HTTP/2 protocol stack is vulnerable to the "Rapid Reset" class of exploits, which send a sequence of HEADERS frames optionally followed by RSTSTREAM frames. This can be exercised if you use the builtin gateway and receive untrusted http2 traffic. Patches...

[SECURITY] [DLA 3617-2] tomcat9 regression update

Debian LTS Advisory DLA-3617-2 [email protected] https://www.debian.org/lts/security/ Markus Koschany October 17, 2023 https://wiki.debian.org/LTS Package : tomcat9 Version : 9.0.31-1deb10u10 CVE ID : CVE-2023-44487 A regression was discovered in the Http2UpgradeHandler class of Tomcat ...

[SECURITY] [DSA 5522-3] tomcat9 regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-5522-3 [email protected] https://www.debian.org/security/ Markus Koschany October 16, 2023 https://www.debian.org/security/faq -...

Important: Red Hat Security Advisory: Red Hat Data Grid 8.4.5 security update

An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the...

Important: Red Hat Security Advisory: go-toolset:rhel8 security update

An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

ALSA-2023:5721 Important: go-toolset:rhel8 security update

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fixes: golang: net/http, x/net/http2: rapid stream resets can cause excessive work CVE-2023-44487 CVE-2023-39325 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS...

RHEL 7 : go-toolset-1.19 and go-toolset-1.19-golang (RHSA-2023:5719)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:5719 advisory. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fixes: golang: net/http,...