Your message dated Mon, 26 May 2025 01:26:05 +0000
with message-id <e1ujmbn-006i1s...@fasolo.debian.org>
and subject line Bug#1103775: Removed package(s) from unstable
has caused the Debian Bug report #1084984,
regarding h2o: CVE-2024-45397 CVE-2024-25622
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1084984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084984
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: h2o
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for h2o.
CVE-2024-45403[0]:
| h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3.
| When h2o is configured as a reverse proxy and HTTP/3 requests are
| cancelled by the client, h2o might crash due to an assertion
| failure. The crash can be exploited by an attacker to mount a
| Denial-of-Service attack. By default, the h2o standalone server
| automatically restarts, minimizing the impact. However, HTTP
| requests that were served concurrently will still be disrupted. The
| vulnerability has been addressed in commit 1ed32b2. Users may
| disable the use of HTTP/3 to mitigate the issue.
https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92
https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562
https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c
CVE-2024-45397[1]:
| h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3.
| When an HTTP request using TLS/1.3 early data on top of TCP Fast
| Open or QUIC 0-RTT packets is received and the IP-address-based
| access control is used, the access control does not detect and
| prohibit HTTP requests conveyed by packets with a spoofed source
| address. This behavior allows attackers on the network to execute
| HTTP requests from addresses that are otherwise rejected by the
| address-based access control. The vulnerability has been addressed
| in commit 15ed15a. Users may disable the use of TCP FastOpen and
| QUIC to mitigate the issue.
https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c
https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a
CVE-2024-25622[2]:
| h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3.
| The configuration directives provided by the headers handler allows
| users to modify the response headers being sent by h2o. The
| configuration file of h2o has scopes, and the inner scopes (e.g.,
| path level) are expected to inherit the configuration defined in
| outer scopes (e.g., global level). However, if a header directive is
| used in the inner scope, all the definition in outer scopes are
| ignored. This can lead to headers not being modified as expected.
| Depending on the headers being added or removed unexpectedly, this
| behavior could lead to unexpected client behavior. This
| vulnerability is fixed in commit
| 123f5e2b65dcdba8f7ef659a00d24bd1249141be.
https://github.com/h2o/h2o/security/advisories/GHSA-5m7v-cj65-h6pj
https://github.com/h2o/h2o/issues/3332
https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45403
https://www.cve.org/CVERecord?id=CVE-2024-45403
[1] https://security-tracker.debian.org/tracker/CVE-2024-45397
https://www.cve.org/CVERecord?id=CVE-2024-45397
[2] https://security-tracker.debian.org/tracker/CVE-2024-25622
https://www.cve.org/CVERecord?id=CVE-2024-25622
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 2.2.5+dfsg2-11+rm
Dear submitter,
as the package h2o has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1103775
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Paul Tagliamonte (the ftpmaster behind the curtain)
--- End Message ---
