Wednesday, November 22, 2023

[USN-6505-1] nghttp2 vulnerability

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmVeJbwACgkQZWnYVadE
vpOEQg/+LmcG8OMy5/jB7+WY7Lg2E2kHnXp268xAwa/HKFG9Q8PLrOhvZQGVjCD7
EwLITIxMLZE3yZeEQBO7vARafoWVy/G+OJubYTgf5tqgjtvCLDDCbleN7Fuclaiu
vO44nBsR2CoAsADLjbKC7PgvPkoF6MIrlPFOQDdLxY2qdU/lNggTuxjZO/NM2LNN
BxZ1XeXNvqfmHtBxhoF8jaiBYe8mIY3kSoAcT8FTvGp83OjHKcohlIFZVUnSw4ej
L+xTx1ucFLLW/bM16jwWjbOSuaoK+LtkfJOhrRKnT2xap+BaJtBMRdQ8kCRndRzk
hlMmg1x4V9iV9ShwBIlQ+oZYUDlq1XhWGvO5z5pKZ14pUZbWbBxrWyINVC7rjVYa
V4VrfCnbt21AhpHSXD15rgE/Lr+ANGfsi648SjRSv16hBKAA+59WjNcFILNH6Scm
SawuX5o66PSTsrtT5uyj/5xz2kpwckF8kLsGDMBsJRxKrYRQ42AEH1+yhYOZX7Qr
nVkAjtQrkGqvzVAmFOIIqGnPIGYIs19VfhwGjo3Bty31RbCoZEWT44adE2JeAXO9
zfvITUoisgX4bsljA/oU2VfLhwtMa0fqs/MQdTB7odGuQBJYB4ViuCXHN392w453
YqWwjyuSMr0aFvrQF0UXfWy/lgkCGLlVWHO27ts6AvNR/AQT05o=
=pJFv
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6505-1
November 22, 2023

nghttp2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

nghttp2 could be made to consume resources if it received specially crafted
network traffic.

Software Description:
- nghttp2: HTTP/2 C Library and tools

Details:

It was discovered that nghttp2 incorrectly handled request cancellation. A
remote attacker could possibly use this issue to cause nghttp2 to consume
resources, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
libnghttp2-14 1.55.1-1ubuntu0.1
nghttp2 1.55.1-1ubuntu0.1
nghttp2-client 1.55.1-1ubuntu0.1
nghttp2-proxy 1.55.1-1ubuntu0.1
nghttp2-server 1.55.1-1ubuntu0.1

Ubuntu 23.04:
libnghttp2-14 1.52.0-1ubuntu0.1
nghttp2 1.52.0-1ubuntu0.1
nghttp2-client 1.52.0-1ubuntu0.1
nghttp2-proxy 1.52.0-1ubuntu0.1
nghttp2-server 1.52.0-1ubuntu0.1

Ubuntu 22.04 LTS:
libnghttp2-14 1.43.0-1ubuntu0.1
nghttp2 1.43.0-1ubuntu0.1
nghttp2-client 1.43.0-1ubuntu0.1
nghttp2-proxy 1.43.0-1ubuntu0.1
nghttp2-server 1.43.0-1ubuntu0.1

Ubuntu 20.04 LTS:
libnghttp2-14 1.40.0-1ubuntu0.2
nghttp2 1.40.0-1ubuntu0.2
nghttp2-client 1.40.0-1ubuntu0.2
nghttp2-proxy 1.40.0-1ubuntu0.2
nghttp2-server 1.40.0-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6505-1
CVE-2023-44487

Package Information:
https://launchpad.net/ubuntu/+source/nghttp2/1.55.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/nghttp2/1.52.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/nghttp2/1.43.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/nghttp2/1.40.0-1ubuntu0.2

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)