USN-6754-1

Details

It was discovered that nghttp2 incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511, CVE-2019-9513)

It was discovered that nghttp2 incorrectly handled request cancellation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)

It was discovered that nghttp2 could be made to process an unlimited number of HTTP/2 CONTINUATION frames. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. (CVE-2024-28182)

Affected Packages

Ubuntu:20.04:LTSnghttp2

Fixed in:

1.40.0-1ubuntu0.3

Ubuntu:22.04:LTSnghttp2

Fixed in:

1.43.0-1ubuntu0.2

Ubuntu:Pro:16.04:LTSnghttp2

Fixed in:

1.7.1-1ubuntu0.1~esm2

Ubuntu:Pro:18.04:LTSnghttp2

Fixed in:

1.30.0-1ubuntu1+esm2

References

REPORThttps://ubuntu.com/security/CVE-2019-9511 REPORThttps://ubuntu.com/security/CVE-2019-9513 REPORThttps://ubuntu.com/security/CVE-2023-44487 REPORThttps://ubuntu.com/security/CVE-2024-28182 ADVISORYhttps://ubuntu.com/security/notices/USN-6754-1

USN-6754-1

Details

Affected Packages

References

Upstream

Ecosystems

Timeline