Your message dated Sun, 29 Sep 2024 12:32:09 +0000
with message-id <e1sut5t-006jym...@fasolo.debian.org>
and subject line Bug#1068415: fixed in nghttp2 1.52.0-1+deb12u2
has caused the Debian Bug report #1068415,
regarding nghttp2: CVE-2024-28182: Reading unbounded number of HTTP/2
CONTINUATION frames to cause excessive CPU usage
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068415: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068415
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nghttp2
Version: 1.60.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for nghttp2.
CVE-2024-28182[0]:
| nghttp2 is an implementation of the Hypertext Transfer Protocol
| version 2 in C. The nghttp2 library prior to version 1.61.0 keeps
| reading the unbounded number of HTTP/2 CONTINUATION frames even
| after a stream is reset to keep HPACK context in sync. This causes
| excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0
| mitigates this vulnerability by limiting the number of CONTINUATION
| frames it accepts per stream. There is no workaround for this
| vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28182
https://www.cve.org/CVERecord?id=CVE-2024-28182
[1] https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nghttp2
Source-Version: 1.52.0-1+deb12u2
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
nghttp2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1068...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated nghttp2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Sep 2024 16:25:38 +0300
Source: nghttp2
Architecture: source
Version: 1.52.0-1+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Tomasz Buchert <tom...@debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1068415
Changes:
nghttp2 (1.52.0-1+deb12u2) bookworm; urgency=medium
.
* Non-maintainer upload.
* CVE-2024-28182: unbounded number of HTTP/2 CONTINUATION frames DoS
(Closes: #1068415)
* nghttp2_option_set_stream_reset_rate_limit was added in
1.52.0-1+deb12u1, add to debian/libnghttp2-14.symbols
Checksums-Sha1:
77adc56fe3c4b03d8ab4a8d3a5b492daf3ebe54b 2541 nghttp2_1.52.0-1+deb12u2.dsc
88b51cc1f474df906ce3c3dc363bdf0cae3d76d0 1064232 nghttp2_1.52.0.orig.tar.gz
1df1e9cb689ef10c1722485a469f849d3885db80 19076
nghttp2_1.52.0-1+deb12u2.debian.tar.xz
Checksums-Sha256:
7105204227770127b9b71c01d5554a2b4c735b074e1e69d5c74939b78b9f84c3 2541
nghttp2_1.52.0-1+deb12u2.dsc
6b71561a9950b4a90fa36aa3160763f1437f3730d7a12434e416aa3f4ab145e0 1064232
nghttp2_1.52.0.orig.tar.gz
37335fd2f60de4e4aada982cbe0f6111437bacf16cba055ea535be9dd2df98c7 19076
nghttp2_1.52.0-1+deb12u2.debian.tar.xz
Files:
69eb01709616cef0d3a99c424fcc21ca 2541 httpd optional
nghttp2_1.52.0-1+deb12u2.dsc
1a6b9d0a167cda033c7525818576dbd7 1064232 httpd optional
nghttp2_1.52.0.orig.tar.gz
e2c84e257490c104e20e8abe19df5276 19076 httpd optional
nghttp2_1.52.0-1+deb12u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmb4NrwACgkQiNJCh6LY
mLE+OQ//fH6euelztGks/PQNaSXn8K77xfbx+4UPy+jayDOqnDnD2OlJp6QDTT7a
hTmwtpsoYMhqShPy2M/okAzGQeCg1g5OL9T9bJuP9C0bkDd5r6l2S0bTEjeyTsvj
Lajq8cV9MEHkyB8sXeEQKYkUou4d2zBTCLO5qAbaUZb4BM9ssLpxuFyqgQ6ylRXz
+quL2UZpL7s8TTNejkXOkW931+u9Xy/MmQJcTwYG2S9rrUYP1s4OzEnLOp06aOvH
dYSpXvVsCQ1chhNzSW+654QErYqLtmCiir8HKkx4Ak3o/NlgqEN4iMm58MpSYYSN
64angM3Y9cHtaFHJXZWwhbE4KO7lC1jSA4eG2df3iVXYFz0U/lgTTIdXSVIW4Qa0
+7yNXbQTBEMu4A2dptbY0svNC2T86ptdd9yu8hciBs/eREherB7eT0xr38Cm9jG4
2DZ6uODMUeLDu3gHNrdZnXeyH/jfPLc3CgHzgviOveb2VWRP8Tf+juT2yOf5nB5g
gjBR44lErvI4j/afA7g6WaWiudRv7MzFoYxhSu+jZyQQKSBX0q6Ih+612dsEnFJf
7nAjihlpeLpowNePLcMRvMfsjwZRZuyGp/nnbhVsfy7f2kWgamR4zNOgptyMtb1U
ustD6u7QVhUpwLiXSys7A2UnZyC6OZfrMt1UQmo7qW+93KqQZBA=
=GoXX
-----END PGP SIGNATURE-----
pgp3dIHc5jExr.pgp
Description: PGP signature
--- End Message ---
