Bug#1053769: marked as done (nghttp2: CVE-2023-44487)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 15:32:26 +0000
with message-id <e1r9ryk-0037zt...@fasolo.debian.org>
and subject line Bug#1053769: fixed in nghttp2 1.52.0-1+deb12u1
has caused the Debian Bug report #1053769,
regarding nghttp2: CVE-2023-44487
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053769: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: nghttp2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for nghttp2.

CVE-2023-44487[0]:
| The HTTP/2 protocol allows a denial of service (server resource
| consumption) because request cancellation can reset many streams
| quickly, as exploited in the wild in August through October 2023.

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
https://github.com/nghttp2/nghttp2/pull/1961
https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832
                        

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-44487
    https://www.cve.org/CVERecord?id=CVE-2023-44487

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: nghttp2
Source-Version: 1.52.0-1+deb12u1
Done: Moritz Mühlenhoff <j...@debian.org>

We believe that the bug you reported is fixed in the latest version of
nghttp2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated nghttp2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 24 Nov 2023 15:57:26 +0100
Source: nghttp2
Architecture: source
Version: 1.52.0-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Tomasz Buchert <tom...@debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Closes: 1053769
Changes:
 nghttp2 (1.52.0-1+deb12u1) bookworm-security; urgency=medium
 .
   * CVE-2023-44487 (Closes: #1053769)
Checksums-Sha1:
 1b60f91749246e07d35b16ba8068ab813dc3bbdc 2541 nghttp2_1.52.0-1+deb12u1.dsc
 88b51cc1f474df906ce3c3dc363bdf0cae3d76d0 1064232 nghttp2_1.52.0.orig.tar.gz
 9d83d2f05b563b09768ec06893bacfddfdd2c5d4 17412 
nghttp2_1.52.0-1+deb12u1.debian.tar.xz
 fca2bb5ae15ad6e31b98128dbf40b96f733a0c82 11222 
nghttp2_1.52.0-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 5f2e625f4df5c63e64a0b6806e085c994e38462d099bca0d214c7712f55e3133 2541 
nghttp2_1.52.0-1+deb12u1.dsc
 6b71561a9950b4a90fa36aa3160763f1437f3730d7a12434e416aa3f4ab145e0 1064232 
nghttp2_1.52.0.orig.tar.gz
 9c3c66fe7d570a2de3c9b746db8ef55d4d1ee2251912e7c94299976b555ca006 17412 
nghttp2_1.52.0-1+deb12u1.debian.tar.xz
 56883a552242a51346370d73393a3e9ab89454367d31602f1fde842003fa3a39 11222 
nghttp2_1.52.0-1+deb12u1_amd64.buildinfo
Files:
 42a561a6c75c18905a91de54a7bde10f 2541 httpd optional 
nghttp2_1.52.0-1+deb12u1.dsc
 1a6b9d0a167cda033c7525818576dbd7 1064232 httpd optional 
nghttp2_1.52.0.orig.tar.gz
 d50f412e551e139171b4ecf96722ab5c 17412 httpd optional 
nghttp2_1.52.0-1+deb12u1.debian.tar.xz
 4c34fde31f1e3f3d52b5f3e7d0585527 11222 httpd optional 
nghttp2_1.52.0-1+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVgu+oACgkQEMKTtsN8
TjZ1MRAAjcEQsAE1tVSyt2EOaFVLfno2+EXT7/ltrV2pZn8XbQ2i0+5HZ1AbrNT0
ponaifa8WsbpcBA/X7rM81ECVJOAFSqup+L39tjJWvXJ/KdCJByP0hjtTxAzach6
5KlWjavQ2d1UdBwuqSqTt5JL/Ix/LnbkvjK93FbyJnYIVDGnlfYi4w5uN49w43Vq
O1Fb/dJ7xkzURkAE5F4o4A6PxkXSBY3y1UnUsA0NP37fySwqxn+rL7WDInEVgHSh
Vsav/8k8eXPglkWIku93YzOoti9n+zyqcwalzhEApDZusv0nAqWjEzdUSrmYsvSr
0B3xsUehqyEY1nQGG81+zcOhjL+Y8+6VYSrbURuySaMZBJvGz66S+WrQMY+EtXBe
b+0az/Th5DbmSActHprO/ZL6Modfc35GNfuSQKcq2+gIV/+jf4XGNxjTPMtlaeFO
a0qLbwr4gpj2vjt/rdnc4X6qLIy2kCC0y09rX1EUc51MPxDf/A3WVf1GtUMilFgX
8OLgrr3wvZmrxYdupMPq4asxv1izXbN6v18qft0N8XkVmCX8Yf1WksGOYQn8jfHe
rGZ/PcJh74+BcuNeNUJaF3rvY7x7xwsolMZmPEAVDeAff5d8mCzolY9BFJSMdU2r
vewrcKnTx8V1NsKENP7erZOmdY2YGVB3TAbA0WrMlqBGSTaEMYM=
=T+sC
-----END PGP SIGNATURE-----

--- End Message ---