This was a security update pushed out recently:

nghttp2 (1.59.0-1ubuntu0.4) noble-security; urgency=medium

  * SECURITY UPDATE: HTTP request/response smuggling issue
    - debian/patches/CVE-2026-58055.patch: nghttpx: Tighten up CONNECT and HTTP
      Upgrade handling in src/shrpx_downstream.cc, src/shrpx_downstream.h,
      src/shrpx_http2_upstream.cc, src/shrpx_http3_upstream.cc,
      src/shrpx_http_downstream_connection.cc,
      src/shrpx_http_downstream_connection.h, src/shrpx_https_upstream.cc.
    - CVE-2026-58055

I will flag this as a security regression.

** CVE added: https://cve.org/CVERecord?id=CVE-2026-58055

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2159650

Title:
  multiple http/2 connection failures with libnghttp2-14:amd64
  1.59.0-1ubuntu0.4

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/2159650/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to