httpd24-nghttp2-1.7.1-8.AXS4.1

エラータID: AXSA:2020-197:02

リリース日: 
2020/07/02 Thursday - 03:36
題名: 
httpd24-nghttp2-1.7.1-8.AXS4.1
影響のあるチャネル: 
Asianux Server 4 for x86_64
Severity: 
High
Description: 

libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 (HTTP/2) protocol in C.

Security Fix(es):

* nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

解決策: 

Update packages.

CVE: 
CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. httpd24-nghttp2-1.7.1-8.AXS4.1.src.rpm
    MD5: 494d809d8c3da2301debda5aae5a02cc
    SHA-256: 168e3b20a4e763b5bd73825709b160f52b07382ba0e15f518d8c2a09f1fdae97
    Size: 1.35 MB

Asianux Server 4 for x86_64
  1. httpd24-libnghttp2-1.7.1-8.AXS4.1.x86_64.rpm
    MD5: 31eb942504f4379fbaa7d0c2b781efae
    SHA-256: 369b619ca6aaf04049e693df12f2e5565cd05dc6c01ba0af657cf51accbb1c7f
    Size: 56.76 kB
  2. httpd24-libnghttp2-devel-1.7.1-8.AXS4.1.x86_64.rpm
    MD5: a73e33621f54f9ff5b7855a4a82aa999
    SHA-256: 343cd4d77b8e3d3bc54f6204d9bb4b0b57afafc8aa3c4e8c21d06552eb1ab283
    Size: 45.08 kB
  3. httpd24-nghttp2-1.7.1-8.AXS4.1.x86_64.rpm
    MD5: 217d072e4d07ce59e0e642fb2b5ff4db
    SHA-256: 75c5516aa68d03b60ef5000cbc7b110b1e741d76d0d35a04c775598f381f90de
    Size: 3.86 kB