USN-6142-1: nghttp2 vulnerability
6 June 2023
nghttp2 could be made to crash if it opened a specially crafted file.
Releases
Packages
- nghttp2 - HTTP/2 C Library and tools
Details
Gal Goldshtein discovered that nghttp2 incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04
-
libnghttp2-14
-
1.40.0-1ubuntu0.1
-
libnghttp2-dev
-
1.40.0-1ubuntu0.1
-
nghttp2-proxy
-
1.40.0-1ubuntu0.1
-
nghttp2
-
1.40.0-1ubuntu0.1
-
nghttp2-client
-
1.40.0-1ubuntu0.1
-
nghttp2-server
-
1.40.0-1ubuntu0.1
Ubuntu 18.04
-
libnghttp2-14
-
1.30.0-1ubuntu1+esm1
Available with Ubuntu Pro
-
libnghttp2-dev
-
1.30.0-1ubuntu1+esm1
Available with Ubuntu Pro
-
nghttp2-proxy
-
1.30.0-1ubuntu1+esm1
Available with Ubuntu Pro
-
nghttp2
-
1.30.0-1ubuntu1+esm1
Available with Ubuntu Pro
-
nghttp2-client
-
1.30.0-1ubuntu1+esm1
Available with Ubuntu Pro
-
nghttp2-server
-
1.30.0-1ubuntu1+esm1
Available with Ubuntu Pro
Ubuntu 16.04
-
libnghttp2-14
-
1.7.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
libnghttp2-dev
-
1.7.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
nghttp2-proxy
-
1.7.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
nghttp2
-
1.7.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
nghttp2-client
-
1.7.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
nghttp2-server
-
1.7.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.