CVE-2019-9513
Published: 13 August 2019
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
Priority
Medium
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
nghttp2 Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.39.2)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(1.39.2-1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(1.39.2-1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(end of standard support, was needed)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
| Binaries built from this source package are in Universe and so are supported by the community. | ||
|
nginx Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Released
(1.16.1-0ubuntu1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Released
(1.16.1-0ubuntu1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(1.14.0-0ubuntu1.4)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(1.10.3-0ubuntu0.16.04.4)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
(http2 support not implemented)
|
|
|
Patches: Upstream: https://github.com/nginx/nginx/commit/39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b |
||
|
nodejs Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Needs triage
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Needs triage
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needs triage
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(end of standard support, was needs-triage)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needs triage
|
|