Advisories » MGASA-2024-0135

Updated nghttp2 packages fix security vulnerability

Publication date: 17 Apr 2024
Modification date: 17 Apr 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-28182

Description

nghttp2 library keeps reading the unbounded number of HTTP/2
CONTINUATION frames even after a stream is reset to keep HPACK context
in sync. This causes excessive CPU usage to decode HPACK stream.
This update fixes the issue.
This is the latest release, which will bring some more fixes and
improvements.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33087
• https://nowotarski.info/http2-continuation-flood/
• https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28182

SRPMS

9/core

• nghttp2-1.61.0-1.mga9