Lucene search

Slackware Linux ProjectSSA-2024-095-02

HistoryApr 04, 2024 - 7:17 p.m.

[slackware-security] nghttp2

2024-04-0419:17:04

Slackware Linux Project

www.slackware.com

nghttp2

slackware 15.0

security fix

cpu usage

http/2

patch

upgrade

installation

cve-2024-28182.

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

7.3 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.2%

JSON

New nghttp2 packages are available for Slackware 15.0 and -current to
fix a security issue.

Here are the details from the Slackware 15.0 ChangeLog:

patches/packages/nghttp2-1.61.0-i586-1_slack15.0.txz: Upgraded.
This update fixes security issues:
nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION
frames even after a stream is reset to keep HPACK context in sync. This
causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates
this vulnerability by limiting the number of CONTINUATION frames it can
accept after a HEADERS frame.
For more information, see:
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
https://www.kb.cert.org/vuls/id/421644
https://vulners.com/cve/CVE-2024-28182
(* Security fix *)

Where to find the new packages:

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)

Also see the “Get Slack” section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/nghttp2-1.61.0-i586-1_slack15.0.txz

Updated package for Slackware x86_64 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/nghttp2-1.61.0-x86_64-1_slack15.0.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/nghttp2-1.61.0-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/nghttp2-1.61.0-x86_64-1.txz

MD5 signatures:

Slackware 15.0 package:
ec7c0c10fbd8fc955172c165ac83e820 nghttp2-1.61.0-i586-1_slack15.0.txz

Slackware x86_64 15.0 package:
83b16e89f34a2b3ab340c4e8be7e013b nghttp2-1.61.0-x86_64-1_slack15.0.txz

Slackware -current package:
1344e95b1100f186ed42012881ca29c9 n/nghttp2-1.61.0-i586-1.txz

Slackware x86_64 -current package:
03b5154892afcc2f9bfcaee440229252 n/nghttp2-1.61.0-x86_64-1.txz

Installation instructions:

Upgrade the package as root:
> upgradepkg nghttp2-1.61.0-i586-1_slack15.0.txz

OSVersionArchitecturePackageVersionFilename
Slackware15.0i586nghttp2< 1.61.0nghttp2-1.61.0-i586-1_slack15.0.txz
Slackware15.0x86_64nghttp2< 1.61.0nghttp2-1.61.0-x86_64-1_slack15.0.txz
Slackwarecurrenti586nghttp2< 1.61.0nghttp2-1.61.0-i586-1.txz
Slackwarecurrentx86_64nghttp2< 1.61.0nghttp2-1.61.0-x86_64-1.txz

OS	Version	Architecture	Package	Version	Filename
Slackware	15.0	i586	nghttp2	< 1.61.0	nghttp2-1.61.0-i586-1_slack15.0.txz
Slackware	15.0	x86_64	nghttp2	< 1.61.0	nghttp2-1.61.0-x86_64-1_slack15.0.txz
Slackware	current	i586	nghttp2	< 1.61.0	nghttp2-1.61.0-i586-1.txz
Slackware	current	x86_64	nghttp2	< 1.61.0	nghttp2-1.61.0-x86_64-1.txz