Source: h2o X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for h2o. CVE-2024-45403[0]: | h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. | When h2o is configured as a reverse proxy and HTTP/3 requests are | cancelled by the client, h2o might crash due to an assertion | failure. The crash can be exploited by an attacker to mount a | Denial-of-Service attack. By default, the h2o standalone server | automatically restarts, minimizing the impact. However, HTTP | requests that were served concurrently will still be disrupted. The | vulnerability has been addressed in commit 1ed32b2. Users may | disable the use of HTTP/3 to mitigate the issue. https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92 https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562 https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c CVE-2024-45397[1]: | h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. | When an HTTP request using TLS/1.3 early data on top of TCP Fast | Open or QUIC 0-RTT packets is received and the IP-address-based | access control is used, the access control does not detect and | prohibit HTTP requests conveyed by packets with a spoofed source | address. This behavior allows attackers on the network to execute | HTTP requests from addresses that are otherwise rejected by the | address-based access control. The vulnerability has been addressed | in commit 15ed15a. Users may disable the use of TCP FastOpen and | QUIC to mitigate the issue. https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a CVE-2024-25622[2]: | h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. | The configuration directives provided by the headers handler allows | users to modify the response headers being sent by h2o. The | configuration file of h2o has scopes, and the inner scopes (e.g., | path level) are expected to inherit the configuration defined in | outer scopes (e.g., global level). However, if a header directive is | used in the inner scope, all the definition in outer scopes are | ignored. This can lead to headers not being modified as expected. | Depending on the headers being added or removed unexpectedly, this | behavior could lead to unexpected client behavior. This | vulnerability is fixed in commit | 123f5e2b65dcdba8f7ef659a00d24bd1249141be. https://github.com/h2o/h2o/security/advisories/GHSA-5m7v-cj65-h6pj https://github.com/h2o/h2o/issues/3332 https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45403 https://www.cve.org/CVERecord?id=CVE-2024-45403 [1] https://security-tracker.debian.org/tracker/CVE-2024-45397 https://www.cve.org/CVERecord?id=CVE-2024-45397 [2] https://security-tracker.debian.org/tracker/CVE-2024-25622 https://www.cve.org/CVERecord?id=CVE-2024-25622 Please adjust the affected versions in the BTS as needed.
