DLA-3621-1

UNKNOWN

nghttp2 - security update

Published Oct 16, 2023

Modified 2 years ago

Fix available

Details

Multiple vulnerabilities were discovered in nghttp2, an implementation of the HTTP/2 protocol.

CVE-2020-11080

A denial-of-service could be caused by a large HTTP/2 SETTINGS
frame payload.

CVE-2023-44487

A denial-of-service could be caused by resetting many HTTP/2
streams quickly.  This has been observed in the wild since August.

Affected Packages

nghttp2

Debian 10

Fixed in:

1.36.0-2+deb10u2

References

Upstream

Ecosystems

Timeline

PublishedOct 16, 2023

ModifiedOct 16, 2023

DLA-3621-1 | Mondoo Vulnerability Intelligence