httpd24-nghttp2-1.7.1-8.AXS4.1
エラータID: AXSA:2020-197:02
libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 (HTTP/2) protocol in C.
Security Fix(es):
* nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
Update packages.
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
N/A
SRPMS
- httpd24-nghttp2-1.7.1-8.AXS4.1.src.rpm
MD5: 494d809d8c3da2301debda5aae5a02cc
SHA-256: 168e3b20a4e763b5bd73825709b160f52b07382ba0e15f518d8c2a09f1fdae97
Size: 1.35 MB
Asianux Server 4 for x86_64
- httpd24-libnghttp2-1.7.1-8.AXS4.1.x86_64.rpm
MD5: 31eb942504f4379fbaa7d0c2b781efae
SHA-256: 369b619ca6aaf04049e693df12f2e5565cd05dc6c01ba0af657cf51accbb1c7f
Size: 56.76 kB - httpd24-libnghttp2-devel-1.7.1-8.AXS4.1.x86_64.rpm
MD5: a73e33621f54f9ff5b7855a4a82aa999
SHA-256: 343cd4d77b8e3d3bc54f6204d9bb4b0b57afafc8aa3c4e8c21d06552eb1ab283
Size: 45.08 kB - httpd24-nghttp2-1.7.1-8.AXS4.1.x86_64.rpm
MD5: 217d072e4d07ce59e0e642fb2b5ff4db
SHA-256: 75c5516aa68d03b60ef5000cbc7b110b1e741d76d0d35a04c775598f381f90de
Size: 3.86 kB