Advisories » MGASA-2020-0256

Updated nghttp2 packages fix security vulnerability

Publication date: 10 Jun 2020
Modification date: 10 Jun 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-11080

Description

nghttp2 has been updated to version 1.41.0 to fix CVE-2020-11080.

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a
SETTINGS frame with a length of 14,400 bytes (2400 individual settings
entries) over and over again. The attack causes the CPU to spike at 100%.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26725
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080

SRPMS

7/core

• nghttp2-1.41.0-1.mga7