Security vulnerability in h2o 2.2.4
Bug #1776877 reported by
Pete Chown
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| h2o (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Hello,
The release information for h2o 2.2.5 notes that a security vulnerability was fixed; see:
https:/
This release is available for Cosmic but has not been backported to Bionic. Would it be possible to do this?
The weakness is described as a buffer overflow, so it seems likely that it allows for arbitrary code execution, though details have not yet been published. CVE-2018-0608 has been assigned but is currently blank.
Many thanks,
Pete
CVE References
Revision history for this message
| Leonidas S. Barbosa (leosilvab) wrote | #1 |
| information type: | Private Security → Public Security |
| tags: | added: community-security |
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #2 |
| Changed in h2o (Ubuntu): | |
| status: | New → Incomplete |
| Changed in h2o (Ubuntu): | |
| status: | Incomplete → New |
To post a comment you must log in.
Hi Pete!
Since the h2o package is in the universe repository, it is community maintained. This means that the security team will not be fixing the package unless a community member contributes a debdiff for sponsoring that fixes the issue.
Here is the commit that fix this in upstream:
https:/