Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 534
Alerts This Week
Warning Icon 1 534

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 8 articles for you...
203

Mageia 9 MGASA-2024-0099 moderate: curl HTTP/2 memory leak issue

CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak . MGASA-2024-0099 - Updated curl packages fix security vulnerabilities Publication date: 29 Mar 2024 URL: https://advisories.mageia.org/MGASA-2024-0099.html Type: security Affected Mageia releases: 9 CVE: CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466 CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak A memory leak could occur when an application enabled HTTP/2 server push and the server sent a large number of headers. References: - https://bugs.mageia.org/show_bug.cgi?id=33020 - https://curl.se/docs/CVE-2024-2004.html - https://curl.se/docs/CVE-2024-2398.html - https://www.cve.org/CVERecord?id=CVE-2024-2004 - https://www.cve.org/CVERecord?id=CVE-2024-2379 - https://www.cve.org/CVERecord?id=CVE-2024-2398 - https://www.cve.org/CVERecord?id=CVE-2024-2466 SRPMS: - 9/core/curl-7.88.1-4.3.mga9 . Recent curl updates tackle various security vulnerabilities, including memory overflow risks and the use of outdated protocols. Find out more information.. curl security, mageia update, memory leak fix, protocol issues. . LinuxSecurity.com Team

Calendar%202 Mar 29, 2024 Mageia
87

Debian: DSA-5541-1 Critical: Jetty 9 Vulnerability Mitigation

Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. Furthermore the HTTP/2 protocol allowed a denial of service (server resource . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5540-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Markus Koschany October 30, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : jetty9 CVE ID : CVE-2023-36478 CVE-2023-44487 Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. Furthermore the HTTP/2 protocol allowed a denial of service (server resource consumption) because request cancellation can reset many streams quickly. This problem is also known as Rapid Reset Attack. For the oldstable distribution (bullseye), these problems have been fixed in version 9.4.50-4+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 9.4.50-4+deb12u2. We recommend that you upgrade your jetty9 packages. For the detailed security status of jetty9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/jetty9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. . Two vulnerabilities resolved in Jetty 9 for Debian, tackling risks related to HTTP/2 attacks and denial of service threats. Update advised.. Jetty 9,Debian Security, HTTP/2 Vulnerabilities. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Oct 30, 2023 Critical Debian
100

SUSE: Important Security Update 2023:3600-1 for nginx Buffer Overflow

The container suse/nginx was updated. The following patches have been included in this update:. SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3600-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-5.24 , suse/nginx:latest Container Release : 5.24 Severity : important Type : security References : 1216123 1216174 1216378 CVE-2023-44487 CVE-2023-45853 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4200-1 Released: Wed Oct 25 12:04:29 2023 Summary: Security update for nghttp2 Type: security Severity: important References: 1216123,1216174,CVE-2023-44487 This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4215-1 Released: Thu Oct 26 12:19:25 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). The following package changes have been done: - libz1-1.2.13-150500.4.3.1 updated - libnghttp2-14-1.40.0-150200.12.1 updated - container:sles15-image-15.0.0-36.5.50 updated . SUSE Container Update Bulletin for suse/nginx, featuring updates that resolve security vulnerabilities. Essential fixes incorporated.. SUSE Container Update, NGINX Security, Important Updates, Buffer Overflow Fixes. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Oct 28, 2023 Important SuSE
89

Fedora 37: FEDORA-2023-b2c50535cb Critical: nghttp2 HTTP/2 Reset Attack

- fix HTTP/2 Rapid Reset (CVE-2023-44487). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-b2c50535cb 2023-10-28 01:25:02.281578 -------------------------------------------------------------------------------- Name : nghttp2 Product : Fedora 37 Version : 1.51.0 Release : 2.fc37 URL : https://nghttp2.org/ Summary : Experimental HTTP/2 client, server and proxy Description : This package contains the HTTP/2 client, server and proxy programs. -------------------------------------------------------------------------------- Update Information: - fix HTTP/2 Rapid Reset (CVE-2023-44487) -------------------------------------------------------------------------------- ChangeLog: * Thu Oct 12 2023 Jan Macku - 1.51.0-2 - fix HTTP/2 Rapid Reset (CVE-2023-44487) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) https://bugzilla.redhat.com/show_bug.cgi?id=2242803 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-b2c50535cb' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam, report it: . Fedora Users: A critical security advisory on HTTP/2 Rapid Reset attack in nghttp2 has been released. Update your system to ensure safety against this vulnerability. HTTP2 Rapid Reset, nghttp2 Security Update, Fedora 37 Advisory. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Oct 28, 2023 Critical Fedora
100

SUSE: 2023:4199-1 Important: Fix for nghttp2 Rapid Reset Attack

* bsc#1216123 * bsc#1216174 Cross-References: * CVE-2023-44487 . # Security update for nghttp2 Announcement ID: SUSE-SU-2023:4199-1 Rating: important References: * bsc#1216123 * bsc#1216174 Cross-References: * CVE-2023-44487 CVSS scores: * CVE-2023-44487 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-44487 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 * SUSE Linux Enterprise Software Development Kit 12 SP5 An update that solves one vulnerability and has one security fix can now be installed. ## Description: This update for nghttp2 fixes the following issues: * CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Software Development Kit 12 SP5 zypper in -t patch SUSE-SLE-SDK-12-SP5-2023-4199=1 * SUSE Linux Enterprise High Performance Computing 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4199=1 * SUSE Linux Enterprise Server 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4199=1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4199=1 ## Package List: * SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64) * libnghttp2-devel-1.39.2-3.13.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64) * nghttp2-debugsource-1.39.2-3.13.1 * nghttp2-debuginfo-1.39.2-3.13.1 * libnghttp2-14-1.39.2-3.13.1 * libnghttp2-14-debuginfo-1.39.2-3.13.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64) *libnghttp2-14-debuginfo-32bit-1.39.2-3.13.1 * libnghttp2-14-32bit-1.39.2-3.13.1 * SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64) * nghttp2-debugsource-1.39.2-3.13.1 * nghttp2-debuginfo-1.39.2-3.13.1 * libnghttp2-14-1.39.2-3.13.1 * libnghttp2-14-debuginfo-1.39.2-3.13.1 * SUSE Linux Enterprise Server 12 SP5 (s390x x86_64) * libnghttp2-14-debuginfo-32bit-1.39.2-3.13.1 * libnghttp2-14-32bit-1.39.2-3.13.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64) * nghttp2-debugsource-1.39.2-3.13.1 * nghttp2-debuginfo-1.39.2-3.13.1 * libnghttp2-14-1.39.2-3.13.1 * libnghttp2-14-debuginfo-1.39.2-3.13.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64) * libnghttp2-14-debuginfo-32bit-1.39.2-3.13.1 * libnghttp2-14-32bit-1.39.2-3.13.1 ## References: * https://www.suse.com/security/cve/CVE-2023-44487.html * https://bugzilla.suse.com/show_bug.cgi?id=1216123 * https://bugzilla.suse.com/show_bug.cgi?id=1216174 . Urgent patch release for nghttp2 in SUSE tackling HTTP/2 Rapid Reset vulnerability. Update your systems immediately.. Linux Enterprise, SuSE Linux, Server Security, nghttp2, Software Update. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Oct 26, 2023 Important SuSE
87

Debian 10: DSA-5522-3 Critical: Tomcat9 HTTP2 Regression Attack Fix

A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5522-3 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Markus Koschany October 16, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat9 CVE ID : CVE-2023-44487 A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early. For the oldstable distribution (bullseye), this problem has been fixed in version 9.0.43-2~deb11u9. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/tomcat9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. . The latest patch for Tomcat 9 resolves a premature closure issue affecting HTTP2 connections. It is advisable to perform an upgrade!. Tomcat9 Update, Debian Security, HTTP2 Issue, Regression Fix. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Oct 16, 2023 Critical Debian
89

Fedora 38: 2023-ed2642fd58 Critical: Fix HTTP/2 Rapid Reset Attack

- fix HTTP/2 Rapid Reset (CVE-2023-44487). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-ed2642fd58 2023-10-15 01:42:32.629413 -------------------------------------------------------------------------------- Name : nghttp2 Product : Fedora 38 Version : 1.52.0 Release : 2.fc38 URL : https://nghttp2.org/ Summary : Experimental HTTP/2 client, server and proxy Description : This package contains the HTTP/2 client, server and proxy programs. -------------------------------------------------------------------------------- Update Information: - fix HTTP/2 Rapid Reset (CVE-2023-44487) -------------------------------------------------------------------------------- ChangeLog: * Thu Oct 12 2023 Jan Macku - 1.52.0-2 - fix HTTP/2 Rapid Reset (CVE-2023-44487) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) https://bugzilla.redhat.com/show_bug.cgi?id=2242803 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-ed2642fd58' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam, report it: . Resolving the HTTP/2 Rapid Reset issue in Fedora 38 through the application of enhancements to nghttp2 packages.. nghttp2 Fedora Update Rapid Reset DDoS. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Oct 15, 2023 Critical Fedora
202

openSUSE Leap 15.3: 2021:2953-1 Moderate Nodejs10 Update for Security Flaws

An update that fixes four vulnerabilities is now available. . openSUSE Security Update: Security update for nodejs10 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:2953-1 Rating: moderate References: #1188881 #1188917 #1189369 #1189370 Cross-References: CVE-2021-22930 CVE-2021-22931 CVE-2021-22939 CVE-2021-3672 CVSS scores: CVE-2021-22930 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-22931 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-22939 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-3672 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Affected Products: openSUSE Leap 15.3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for nodejs10 fixes the following issues: - CVE-2021-3672: Fixed missing input validation on hostnames (bsc#1188881). - CVE-2021-22930: Fixed use after free on close http2 on stream canceling (bsc#1188917). - CVE-2021-22939: Fixed incomplete validation of rejectUnauthorized parameter (bsc#1189369). - CVE-2021-22931: Fixed improper handling of untypical characters in domain names (bsc#1189370). Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2021-2953=1 Package List: - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): nodejs10-10.24.1-1.39.2 nodejs10-debuginfo-10.24.1-1.39.2 nodejs10-debugsource-10.24.1-1.39.2 nodejs10-devel-10.24.1-1.39.2 npm10-10.24.1-1.39.2 - openSUSE Leap15.3 (noarch): nodejs10-docs-10.24.1-1.39.2 References: https://www.suse.com/security/cve/CVE-2021-22930.html https://www.suse.com/security/cve/CVE-2021-22931.html https://www.suse.com/security/cve/CVE-2021-22939.html https://www.suse.com/security/cve/CVE-2021-3672.html https://bugzilla.suse.com/1188881 https://bugzilla.suse.com/1188917 https://bugzilla.suse.com/1189369 https://bugzilla.suse.com/1189370 . Critical patch for nodejs10 on openSUSE addresses four security flaws. Please update without delay!. openSUSE Security Update,nodejs10 patch,moderate security issues. . LinuxSecurity.com Team

Calendar%202 Sep 03, 2021 OpenSUSE
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200