Your message dated Mon, 26 May 2025 01:26:05 +0000
with message-id <e1ujmbn-006i1s...@fasolo.debian.org>
and subject line Bug#1103775: Removed package(s) from unstable
has caused the Debian Bug report #1059413,
regarding h2o: CVE-2023-41337
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1059413: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059413
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: h2o
Version: 2.2.5+dfsg2-8
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for h2o.
CVE-2023-41337[0]:
| h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3.
| In version 2.3.0-beta2 and prior, when h2o is configured to listen
| to multiple addresses or ports with each of them using different
| backend servers managed by multiple entities, a malicious backend
| entity that also has the opportunity to observe or inject packets
| exchanged between the client and h2o may misdirect HTTPS requests
| going to other backends and observe the contents of that HTTPS
| request being sent. The attack involves a victim client trying to
| resume a TLS connection and an attacker redirecting the packets to a
| different address or port than that intended by the client. The
| attacker must already have been configured by the administrator of
| h2o to act as a backend to one of the addresses or ports that the
| h2o instance listens to. Session IDs and tickets generated by h2o
| are not bound to information specific to the server address, port,
| or the X.509 certificate, and therefore it is possible for an
| attacker to force the victim connection to wrongfully resume against
| a different server address or port on which the same h2o instance is
| listening. Once a TLS session is misdirected to resume to a server
| address / port that is configured to use an attacker-controlled
| server as the backend, depending on the configuration, HTTPS
| requests from the victim client may be forwarded to the attacker's
| server. An H2O instance is vulnerable to this attack only if the
| instance is configured to listen to different addresses or ports
| using the listen directive at the host level and the instance is
| configured to connect to backend servers managed by multiple
| entities. A patch is available at commit
| 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may
| stop using using host-level listen directives in favor of global-
| level ones.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41337
https://www.cve.org/CVERecord?id=CVE-2023-41337
[1] https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q
[2] https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab
Please adjust the affected versions in the BTS as needed. If I
followed the code correctly then this one is as well present in the
older versions ad present in unstable and older, but please double
check.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Version: 2.2.5+dfsg2-11+rm
Dear submitter,
as the package h2o has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1103775
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Paul Tagliamonte (the ftpmaster behind the curtain)
--- End Message ---
