USN-6505-1: nghttp2 vulnerability
22 November 2023
nghttp2 could be made to consume resources if it received specially crafted network traffic.
Releases
Packages
- nghttp2 - HTTP/2 C Library and tools
Details
It was discovered that nghttp2 incorrectly handled request cancellation. A
remote attacker could possibly use this issue to cause nghttp2 to consume
resources, leading to a denial of service.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 23.10
-
libnghttp2-14
-
1.55.1-1ubuntu0.1
-
nghttp2
-
1.55.1-1ubuntu0.1
-
nghttp2-client
-
1.55.1-1ubuntu0.1
-
nghttp2-proxy
-
1.55.1-1ubuntu0.1
-
nghttp2-server
-
1.55.1-1ubuntu0.1
Ubuntu 23.04
-
libnghttp2-14
-
1.52.0-1ubuntu0.1
-
nghttp2
-
1.52.0-1ubuntu0.1
-
nghttp2-client
-
1.52.0-1ubuntu0.1
-
nghttp2-proxy
-
1.52.0-1ubuntu0.1
-
nghttp2-server
-
1.52.0-1ubuntu0.1
Ubuntu 22.04
-
libnghttp2-14
-
1.43.0-1ubuntu0.1
-
nghttp2
-
1.43.0-1ubuntu0.1
-
nghttp2-client
-
1.43.0-1ubuntu0.1
-
nghttp2-proxy
-
1.43.0-1ubuntu0.1
-
nghttp2-server
-
1.43.0-1ubuntu0.1
Ubuntu 20.04
-
libnghttp2-14
-
1.40.0-1ubuntu0.2
-
nghttp2
-
1.40.0-1ubuntu0.2
-
nghttp2-client
-
1.40.0-1ubuntu0.2
-
nghttp2-proxy
-
1.40.0-1ubuntu0.2
-
nghttp2-server
-
1.40.0-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-6427-1: netstandard-targeting-pack-2.1, dotnet-runtime-6.0, dotnet7, dotnet-apphost-pack-6.0, dotnet6, dotnet-host, dotnet-targeting-pack-7.0, aspnetcore-runtime-7.0, dotnet-hostfxr-6.0, aspnetcore-targeting-pack-6.0, dotnet-sdk-7.0, dotnet-templates-7.0, dotnet-sdk-6.0-source-built-artifacts, dotnet-runtime-7.0, dotnet-templates-6.0, dotnet-targeting-pack-6.0, aspnetcore-targeting-pack-7.0, dotnet-apphost-pack-7.0, netstandard-targeting-pack-2.1-7.0, dotnet-sdk-7.0-source-built-artifacts, dotnet-sdk-6.0, aspnetcore-runtime-6.0, dotnet-hostfxr-7.0, dotnet-host-7.0
- USN-6427-2: dotnet-apphost-pack-8.0, aspnetcore-targeting-pack-8.0, dotnet-sdk-8.0-source-built-artifacts, dotnet8, dotnet-runtime-8.0, dotnet-targeting-pack-8.0, dotnet-host-8.0, dotnet-sdk-8.0, netstandard-targeting-pack-2.1-8.0, aspnetcore-runtime-8.0, dotnet-templates-8.0, dotnet-hostfxr-8.0
- USN-6438-1: netstandard-targeting-pack-2.1, dotnet-runtime-6.0, dotnet7, dotnet-apphost-pack-6.0, dotnet6, dotnet-host, dotnet-targeting-pack-7.0, aspnetcore-runtime-7.0, dotnet-hostfxr-6.0, aspnetcore-targeting-pack-6.0, dotnet-sdk-7.0, dotnet-templates-7.0, dotnet-sdk-6.0-source-built-artifacts, dotnet-runtime-7.0, dotnet-templates-6.0, dotnet-targeting-pack-6.0, aspnetcore-targeting-pack-7.0, dotnet-apphost-pack-7.0, netstandard-targeting-pack-2.1-7.0, dotnet-sdk-7.0-source-built-artifacts, dotnet-sdk-6.0, aspnetcore-runtime-6.0, dotnet-hostfxr-7.0, dotnet-host-7.0
- USN-6574-1: golang-1.20-src, golang-1.21-go, golang-1.20-doc, golang-1.21, golang-1.21-doc, golang-1.21-src, golang-1.20, golang-1.20-go
- USN-6754-1: libnghttp2-14, nghttp2, libnghttp2-dev, nghttp2-proxy, nghttp2-server, nghttp2-client, libnghttp2-doc
- USN-6994-1: netty, libnetty-java
- USN-7067-1: haproxy, haproxy-doc, vim-haproxy