Source: nghttp2 Source-Version: 1.31.1-1 On Thu, Apr 12, 2018 at 08:43:47PM +0200, Salvatore Bonaccorso wrote: > Source: nghttp2 > Version: 0.6.4-2 > Severity: important > Tags: patch security upstream > > Hi, > > The following vulnerability was published for nghttp2. > > CVE-2018-1000168[0]: > Denial of service due to NULL pointer dereference > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-1000168 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000168 > [1] > https://github.com/nghttp2/nghttp2/commit/b1bd6035e884b3d83748914a3b5f2a8e52a78a2f > [2] http://www.openwall.com/lists/oss-security/2018/04/12/4 > > Please adjust the affected versions in the BTS as needed.
This issue was fixed with the 1.31.1-1 upload to unstable (but the bug not closed via bug closer); closing manually. The issue does not warrant a DSA, Thomasz, can you address it via an upcoming stretch point release? Regards, Salvatore
