Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion #1958

Closed
31 tasks done
KexyBiscuit opened this issue Aug 16, 2019 · 8 comments
Closed
31 tasks done

HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion #1958

KexyBiscuit opened this issue Aug 16, 2019 · 8 comments
Assignees
@KexyBiscuit
Labels
aosa-pending Pending AOSA (AOSC OS Security Advisory) assignment security Topic/issue involves a security issue/fixed upgrade Topic/issue involves a package upgrade

Comments

@KexyBiscuit
Copy link
Member

KexyBiscuit commented Aug 16, 2019
edited by MingcongBai
Loading

Packages affected & Source progress:

CVE IDs: CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518

Other security advisory IDs: VU#605641, USN-4099-1, DSA-4505-1, ASA-201908-13, ASA-201908-17, DSA-4511-1

Descriptions: Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service (DoS) attacks.

Patches: N/A

PoC(s): N/A

Architectural progress:

  • httpd Apache HTTP Server
    • AMD64 amd64
    • AArch64 arm64
    • ARMv7 armel
    • PowerPC 64-bit BE ppc64
    • PowerPC 32-bit BE powerpc
  • nginx
    • AMD64 amd64
    • AArch64 arm64
    • ARMv7 armel
    • PowerPC 64-bit BE ppc64
    • PowerPC 32-bit BE powerpc
  • go
    • AMD64 amd64
    • AArch64 arm64
    • ARMv7 armel
  • nghttp2
    • AMD64 amd64
    • AArch64 arm64
    • ARMv7 armel
    • PowerPC 64-bit BE ppc64
    • PowerPC 32-bit BE powerpc
  • nodejs Node.js
    • AMD64 amd64
    • AArch64 arm64
    • ARMv7 armel
  • twisted Twisted - See twisted: security update to 19.7.0 #1993.
  • caddy Caddy
    • AMD64 amd64 FTBFS
@KexyBiscuit KexyBiscuit added upgrade Topic/issue involves a package upgrade security Topic/issue involves a security issue/fixed to-stable labels Aug 16, 2019
@KexyBiscuit KexyBiscuit added this to the Summer 2019 milestone Aug 16, 2019
@KexyBiscuit KexyBiscuit self-assigned this Aug 16, 2019
KexyBiscuit added a commit that referenced this issue Aug 16, 2019
@KexyBiscuit
httpd: update to 2.4.41, #1958
fec3718
KexyBiscuit added a commit that referenced this issue Aug 16, 2019
@KexyBiscuit
nginx: update to 1.16.1, #1958
e00268d
KexyBiscuit added a commit that referenced this issue Aug 16, 2019
@KexyBiscuit
go: update to 1.12.9, #1958
8f5535d
KexyBiscuit added a commit that referenced this issue Aug 16, 2019
@KexyBiscuit
nghttp2: update to 1.39.2, #1958
f8c70d9
KexyBiscuit added a commit that referenced this issue Aug 16, 2019
@KexyBiscuit
nodejs: update to 10.16.3, #1958
aec988b
KexyBiscuit added a commit that referenced this issue Aug 16, 2019
@KexyBiscuit
caddy: update to 1.0.3, #1958
f220321
@KexyBiscuit KexyBiscuit mentioned this issue Aug 17, 2019
Closed
@MingcongBai
Copy link
Member

Dropping Caddy - unbuildable.

@MingcongBai
Copy link
Member

Twisted update still not released.

@l2dy
Copy link
Member

l2dy commented Sep 7, 2019

httpd 2.4.41 also fixed CVE-2019-10092, CVE-2019-10097, CVE-2019-10098.

@KexyBiscuit
Copy link
Member Author

KexyBiscuit commented Sep 19, 2019
edited
Loading

Excluding merges, 3 authors have pushed 6 commits to trunk and 8 commits to all branches. On trunk, 9 files have changed and there have been 145 additions and 40 deletions.

Twisted hasn't been actively developed on...

@KexyBiscuit
Copy link
Member Author

Use AOSA-2019-0197 for Apache HTTP Server, AOSA-2019-0198 for nginx, AOSA-2019-0199 for go, AOSA-2019-0200 for nghttp2, AOSA-2019-0201 for Node.js.

@KexyBiscuit KexyBiscuit added the blocked Topic/issue has been blocked by another pending change/issue label Sep 19, 2019
@KexyBiscuit KexyBiscuit modified the milestones: Summer 2019, Fall 2019 Sep 19, 2019
@KexyBiscuit
Copy link
Member Author

Ubuntu marks these Twisted CVEs as deferred: https://people.canonical.com/~ubuntu-security/cve/pkg/twisted.html

@KexyBiscuit KexyBiscuit modified the milestones: Fall 2019, Backlog Nov 6, 2019
@KexyBiscuit KexyBiscuit added external and removed blocked Topic/issue has been blocked by another pending change/issue labels Nov 6, 2019
@MingcongBai
Copy link
Member

Twisted superseded by #1993 .

@l2dy Please assign an AOSA for each of the packages affected.

@MingcongBai MingcongBai added aosa-pending Pending AOSA (AOSC OS Security Advisory) assignment and removed external labels Apr 20, 2020
@l2dy
Copy link
Member

l2dy commented Apr 20, 2020

AOSAs already assigned by @KexyBiscuit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KexyBiscuit KexyBiscuit

Labels
aosa-pending Pending AOSA (AOSC OS Security Advisory) assignment security Topic/issue involves a security issue/fixed upgrade Topic/issue involves a package upgrade
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MingcongBai @KexyBiscuit @l2dy