StarlingX

[Debian] High CVE: CVE-2023-44487 nghttp2 - denial of service

Bug #2045544 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Zhixiong Chi

Bug Description

CVE-2023-44487: https://nvd.nist.gov/vuln/detail/CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Base Score: High

Reference:

['libnghttp2-14_1.43.0-1_amd64.deb===>libnghttp2-14_1.43.0-1+deb11u1_amd64.deb']
https://www.debian.org/security/2023/dsa-5570
https://www.tenable.com/plugins/nessus/186518

CVE References

Zhixiong Chi (zhixiongchi)
Changed in starlingx:
assignee: nobody → Zhixiong Chi (zhixiongchi)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/902739

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/902739
Committed: https://opendev.org/starlingx/tools/commit/71d79a575cc734b617d5f64b2140556f81482abb
Submitter: "Zuul (22348)"
Branch: master

commit 71d79a575cc734b617d5f64b2140556f81482abb
Author: Zhixiong Chi <email address hidden>
Date: Mon Dec 4 01:59:01 2023 -0800

    nghttp2: Upgrade to 1.43.0-1+deb11u1

    Upgrade subpackage libnghttp2-14 to 1.43.0-1+deb11u1 to fix CVE
    issue CVE-2023-44487

    Refer to:
    https://security-tracker.debian.org/tracker/DSA-5570-1
    https://www.debian.org/security/2023/dsa-5570
    https://www.tenable.com/plugins/nessus/186518

    TestPla
    PASS: downloader; build-pkgs; build-image
    PASS: Jenkins Installation

    Closes-Bug: 2045544

    Signed-off-by: Zhixiong Chi <email address hidden>
    Change-Id: Ib6d97caf466b851e814e818b41a69cdb62752eb0

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.