Your message dated Wed, 13 Dec 2023 07:04:40 +0000
with message-id <e1rdjio-009xal...@fasolo.debian.org>
and subject line Bug#1053769: fixed in nghttp2 1.43.0-1+deb11u1
has caused the Debian Bug report #1053769,
regarding nghttp2: CVE-2023-44487
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1053769: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nghttp2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for nghttp2.
CVE-2023-44487[0]:
| The HTTP/2 protocol allows a denial of service (server resource
| consumption) because request cancellation can reset many streams
| quickly, as exploited in the wild in August through October 2023.
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
https://github.com/nghttp2/nghttp2/pull/1961
https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-44487
https://www.cve.org/CVERecord?id=CVE-2023-44487
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: nghttp2
Source-Version: 1.43.0-1+deb11u1
Done: Moritz Mühlenhoff <j...@debian.org>
We believe that the bug you reported is fixed in the latest version of
nghttp2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated nghttp2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 24 Nov 2023 15:47:19 +0100
Source: nghttp2
Architecture: source
Version: 1.43.0-1+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Tomasz Buchert <tom...@debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Closes: 1053769
Changes:
nghttp2 (1.43.0-1+deb11u1) bullseye-security; urgency=medium
.
* CVE-2023-44487 (Closes: #1053769)
Checksums-Sha1:
750d1086144556a6eda95d8cc5249d7e9d925de1 2555 nghttp2_1.43.0-1+deb11u1.dsc
cf95821d4f5afe5b69911eb98fb1f4681c8c86d0 4521786 nghttp2_1.43.0.orig.tar.bz2
4a07939c82b2e6893fe19c681b9a8f5b99105880 21832
nghttp2_1.43.0-1+deb11u1.debian.tar.xz
5edbf6cbc4f246223e8e466a67a01156b75e7b38 11429
nghttp2_1.43.0-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
358a1e471de2d30bec289012577d91932f329b437ce5ee8d5c4b67b054b133d9 2555
nghttp2_1.43.0-1+deb11u1.dsc
556f24653397c71ebb8270b3c5e5507f0893e6eac2c6eeda6be2ecf6e1f50f62 4521786
nghttp2_1.43.0.orig.tar.bz2
b391becc0718fdc415d2f966d577a864f996068e828ce803600d34b0bf03baf2 21832
nghttp2_1.43.0-1+deb11u1.debian.tar.xz
47d7891604e6b501d3d74e8a90e3527c724636d1e8b7c2545ac4398543088d7c 11429
nghttp2_1.43.0-1+deb11u1_amd64.buildinfo
Files:
c93a49a2b30ae49bafaf5927a01fe86a 2555 httpd optional
nghttp2_1.43.0-1+deb11u1.dsc
d7d7d01fd9c5d30c2960ae4349e6b6b7 4521786 httpd optional
nghttp2_1.43.0.orig.tar.bz2
0161fdba3fd82d13ae21ae43e8b42513 21832 httpd optional
nghttp2_1.43.0-1+deb11u1.debian.tar.xz
8b36e5b205d0f8deda031e16406a1371 11429 httpd optional
nghttp2_1.43.0-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVguK0ACgkQEMKTtsN8
Tjbx9hAAjjqEDCSyhJW0SMPYuNC0wEFkWFk5WjeROA5nk7/CrP9Kq6Xlhtawvbcc
ovj00ny1FGR30UNwnn9uDr+DxpT5jOwlrEPYAVqYAlttRQpi+MvEBAoZp08L+Nl0
zVfz5OWsmVzz1WoZi1P0aF4U5ACEgUNMI+/CuwTwpq5ifETlsHMEeGHB0A7+UH5h
KJ1fCKIZM6dvNhzH3rqf9AD3Ep+Fhyc+1pa51FnsXmhvz+Rajs7U7CtxXrz27eC1
yBXdtpPPamujAO0He/jyFu5qDLZ15b8SdVXb6ldOWO/S1EdGDn3VJ/bAC+1qCtZj
oJfTJJjVVJYtpf9Uvpv9madi8wiHwMpzq9AMk0H/NV2SaWgvR+2lG0VQOYq0sUkL
cikKkUQm9SgOnRWVhqttz4LmLedERSVpGPr+mhpSUOfxqoqI7wm+T5oJaloPYOnk
9+sKaDowY59aslPitwZyF4bl4xKwaeLRByp0qVKl0RttFb3EVMeVuTQXfXFcS67T
fWrlyN8FwYZVA7i0Jp/XLahN9ZQoZatL8iY1fO9iDze+erU+TzxIPppuJ6rHn0Zx
zHwui+v4aJA+6vi3oWoatHSWsO9mvshmF5ZNGPigxYVPISHiNoJPJEUs4cq4tg39
rmk8UGxMWEaan5SuqZC3zyAvchPq0NnQytoa+haT27u31exk4M4=
=oIM3
-----END PGP SIGNATURE-----
--- End Message ---
