Explore top 10 tips to secure your open-source projects now. Read More
×CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak . MGASA-2024-0099 - Updated curl packages fix security vulnerabilities Publication date: 29 Mar 2024 URL: https://advisories.mageia.org/MGASA-2024-0099.html Type: security Affected Mageia releases: 9 CVE: CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466 CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak A memory leak could occur when an application enabled HTTP/2 server push and the server sent a large number of headers. References: - https://bugs.mageia.org/show_bug.cgi?id=33020 - https://curl.se/docs/CVE-2024-2004.html - https://curl.se/docs/CVE-2024-2398.html - https://www.cve.org/CVERecord?id=CVE-2024-2004 - https://www.cve.org/CVERecord?id=CVE-2024-2379 - https://www.cve.org/CVERecord?id=CVE-2024-2398 - https://www.cve.org/CVERecord?id=CVE-2024-2466 SRPMS: - 9/core/curl-7.88.1-4.3.mga9 . Recent curl updates tackle various security vulnerabilities, including memory overflow risks and the use of outdated protocols. Find out more information.. curl security, mageia update, memory leak fix, protocol issues. . LinuxSecurity.com Team
Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. Furthermore the HTTP/2 protocol allowed a denial of service (server resource . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5540-1
The container suse/nginx was updated. The following patches have been included in this update:. SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3600-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-5.24 , suse/nginx:latest Container Release : 5.24 Severity : important Type : security References : 1216123 1216174 1216378 CVE-2023-44487 CVE-2023-45853 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4200-1 Released: Wed Oct 25 12:04:29 2023 Summary: Security update for nghttp2 Type: security Severity: important References: 1216123,1216174,CVE-2023-44487 This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4215-1 Released: Thu Oct 26 12:19:25 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). The following package changes have been done: - libz1-1.2.13-150500.4.3.1 updated - libnghttp2-14-1.40.0-150200.12.1 updated - container:sles15-image-15.0.0-36.5.50 updated . SUSE Container Update Bulletin for suse/nginx, featuring updates that resolve security vulnerabilities. Essential fixes incorporated.. SUSE Container Update, NGINX Security, Important Updates, Buffer Overflow Fixes. . Severity: Important. LinuxSecurity.com Team
- fix HTTP/2 Rapid Reset (CVE-2023-44487). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-b2c50535cb 2023-10-28 01:25:02.281578 -------------------------------------------------------------------------------- Name : nghttp2 Product : Fedora 37 Version : 1.51.0 Release : 2.fc37 URL : https://nghttp2.org/ Summary : Experimental HTTP/2 client, server and proxy Description : This package contains the HTTP/2 client, server and proxy programs. -------------------------------------------------------------------------------- Update Information: - fix HTTP/2 Rapid Reset (CVE-2023-44487) -------------------------------------------------------------------------------- ChangeLog: * Thu Oct 12 2023 Jan Macku - 1.51.0-2 - fix HTTP/2 Rapid Reset (CVE-2023-44487) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) https://bugzilla.redhat.com/show_bug.cgi?id=2242803 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-b2c50535cb' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
* bsc#1216123 * bsc#1216174 Cross-References: * CVE-2023-44487 . # Security update for nghttp2 Announcement ID: SUSE-SU-2023:4199-1 Rating: important References: * bsc#1216123 * bsc#1216174 Cross-References: * CVE-2023-44487 CVSS scores: * CVE-2023-44487 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-44487 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 * SUSE Linux Enterprise Software Development Kit 12 SP5 An update that solves one vulnerability and has one security fix can now be installed. ## Description: This update for nghttp2 fixes the following issues: * CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Software Development Kit 12 SP5 zypper in -t patch SUSE-SLE-SDK-12-SP5-2023-4199=1 * SUSE Linux Enterprise High Performance Computing 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4199=1 * SUSE Linux Enterprise Server 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4199=1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4199=1 ## Package List: * SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64) * libnghttp2-devel-1.39.2-3.13.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64) * nghttp2-debugsource-1.39.2-3.13.1 * nghttp2-debuginfo-1.39.2-3.13.1 * libnghttp2-14-1.39.2-3.13.1 * libnghttp2-14-debuginfo-1.39.2-3.13.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64) *libnghttp2-14-debuginfo-32bit-1.39.2-3.13.1 * libnghttp2-14-32bit-1.39.2-3.13.1 * SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64) * nghttp2-debugsource-1.39.2-3.13.1 * nghttp2-debuginfo-1.39.2-3.13.1 * libnghttp2-14-1.39.2-3.13.1 * libnghttp2-14-debuginfo-1.39.2-3.13.1 * SUSE Linux Enterprise Server 12 SP5 (s390x x86_64) * libnghttp2-14-debuginfo-32bit-1.39.2-3.13.1 * libnghttp2-14-32bit-1.39.2-3.13.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64) * nghttp2-debugsource-1.39.2-3.13.1 * nghttp2-debuginfo-1.39.2-3.13.1 * libnghttp2-14-1.39.2-3.13.1 * libnghttp2-14-debuginfo-1.39.2-3.13.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64) * libnghttp2-14-debuginfo-32bit-1.39.2-3.13.1 * libnghttp2-14-32bit-1.39.2-3.13.1 ## References: * https://www.suse.com/security/cve/CVE-2023-44487.html * https://bugzilla.suse.com/show_bug.cgi?id=1216123 * https://bugzilla.suse.com/show_bug.cgi?id=1216174 . Urgent patch release for nghttp2 in SUSE tackling HTTP/2 Rapid Reset vulnerability. Update your systems immediately.. Linux Enterprise, SuSE Linux, Server Security, nghttp2, Software Update. . Severity: Important. LinuxSecurity.com Team
A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5522-3
- fix HTTP/2 Rapid Reset (CVE-2023-44487). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-ed2642fd58 2023-10-15 01:42:32.629413 -------------------------------------------------------------------------------- Name : nghttp2 Product : Fedora 38 Version : 1.52.0 Release : 2.fc38 URL : https://nghttp2.org/ Summary : Experimental HTTP/2 client, server and proxy Description : This package contains the HTTP/2 client, server and proxy programs. -------------------------------------------------------------------------------- Update Information: - fix HTTP/2 Rapid Reset (CVE-2023-44487) -------------------------------------------------------------------------------- ChangeLog: * Thu Oct 12 2023 Jan Macku - 1.52.0-2 - fix HTTP/2 Rapid Reset (CVE-2023-44487) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) https://bugzilla.redhat.com/show_bug.cgi?id=2242803 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-ed2642fd58' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
An update that fixes four vulnerabilities is now available. . openSUSE Security Update: Security update for nodejs10 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:2953-1 Rating: moderate References: #1188881 #1188917 #1189369 #1189370 Cross-References: CVE-2021-22930 CVE-2021-22931 CVE-2021-22939 CVE-2021-3672 CVSS scores: CVE-2021-22930 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-22931 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-22939 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-3672 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Affected Products: openSUSE Leap 15.3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for nodejs10 fixes the following issues: - CVE-2021-3672: Fixed missing input validation on hostnames (bsc#1188881). - CVE-2021-22930: Fixed use after free on close http2 on stream canceling (bsc#1188917). - CVE-2021-22939: Fixed incomplete validation of rejectUnauthorized parameter (bsc#1189369). - CVE-2021-22931: Fixed improper handling of untypical characters in domain names (bsc#1189370). Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2021-2953=1 Package List: - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): nodejs10-10.24.1-1.39.2 nodejs10-debuginfo-10.24.1-1.39.2 nodejs10-debugsource-10.24.1-1.39.2 nodejs10-devel-10.24.1-1.39.2 npm10-10.24.1-1.39.2 - openSUSE Leap15.3 (noarch): nodejs10-docs-10.24.1-1.39.2 References: https://www.suse.com/security/cve/CVE-2021-22930.html https://www.suse.com/security/cve/CVE-2021-22931.html https://www.suse.com/security/cve/CVE-2021-22939.html https://www.suse.com/security/cve/CVE-2021-3672.html https://bugzilla.suse.com/1188881 https://bugzilla.suse.com/1188917 https://bugzilla.suse.com/1189369 https://bugzilla.suse.com/1189370 . Critical patch for nodejs10 on openSUSE addresses four security flaws. Please update without delay!. openSUSE Security Update,nodejs10 patch,moderate security issues. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.