Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201512-16 ========================================= Severity: High Date : 2015-12-25 CVE-ID : CVE-2015-8659 Package : nghttp2 Type : use-after-free Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package nghttp2 before version 1.6.0-1 is vulnerable to a heap-based use-after-free, leading to denial of service or possibly arbitrary code execution. Resolution ========= Upgrade to 1.6.0-1. # pacman -Syu "nghttp2>=1.6.0-1" The problem has been fixed upstream in version 1.6.0. Workaround ========= None. Description ========== nghttp2 1.6.0 fixes a heap-based use-after-free bug in idle stream handling code, where an idle/closed stream could possibly be destroyed while it was still referenced. Impact ===== A remote attacker could exploit this bug in a HTTP/2 client or server, leading to denial of service or even arbitrary code execution. References ========= https://access.redhat.com/security/cve/CVE-2015-8659 https://seclists.org/oss-sec/2015/q4/576 https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/ https://github.com/nghttp2/nghttp2/commit/92a56d034f201cbb609606184822cf1716677207