|
|
Subscribe / Log in / New account

Ubuntu alert USN-7469-4 (h2o)



From:
              John Breton <john.breton@canonical.com>


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-7469-4] H2O vulnerability


Date:
              Wed, 30 Apr 2025 08:56:32 -0400


Message-ID:
              <f0f93391-0c16-4b4a-9f7f-c70ae1ee0c3a@canonical.com>


==========================================================================
Ubuntu Security Notice USN-7469-4
April 30, 2025

h2o vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

H2O could be made to crash if it received specially crafted network
traffic.

Software Description:
- h2o: an optimized HTTP server with support for HTTP/1.x, HTTP/2, and HTTP/3

Details:

USN-7469-1 fixed a vulnerability in Apache Traffic Server. This update
provides the corresponding updates for H2O.

Original advisory details:

  It was discovered that Apache Traffic Server exhibited poor server
  resource management in its HTTP/2 protocol. An attacker could possibly
  use this issue to cause Apache Traffic Server to crash, resulting in
  a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
   h2o                             2.2.4+dfsg-1ubuntu0.1~esm2
                                   Available with Ubuntu Pro
   libh2o0.13                      2.2.4+dfsg-1ubuntu0.1~esm2
                                   Available with Ubuntu Pro

After a standard system update you need to restart H2O to make all the
necessary changes.

References:
https://ubuntu.com/security/notices/USN-7469-4
https://ubuntu.com/security/notices/USN-7469-3
https://ubuntu.com/security/notices/USN-7469-2
https://ubuntu.com/security/notices/USN-7469-1
   CVE-2023-44487





Attachment: OpenPGP_signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEyMDHOTG0YH5UsajI8pSCVQZYHygFAmgSHgEFAwAAAAAACgkQ8pSCVQZYHyjB
kg/+MD0QcRaIu/kx7OUDdrh2yug95o3o+GNoSBT7U7DDMYOp63BxfNE2BQfb9qkIVRE59cmIXMUJ
2xDv3FEnAdH2/J6JqykSbRAZFYO5qI0mvowiuQ800aVwkUjEe3u0VDE4QN6/6ZanZg0VG4RTpvXJ
/+/+kBQ6DPFtl4sFn68+0qmVa0/7ccxv+0H83XnlNdvfYy75OUqmE78L3tK4g1d2+omJXFu34tEK
H75mlvnygqzqkr0OmNyOm3iZGR3w9djb0VYx4WaIS8jsKOcKWmSLLIXJcVcfeJZy1C1NhUt/x9Xq
XeuxFhyIEiLkR+UhxonuUEKpq9ATHuX4jUrdvQelMIHwGPnmWu/dJ9qaLjRaDPhvRD6MbDGu6I5c
wgx43kZLV1+7W4lCyMFjjOhiBKLeoBUutqi+1CAoaaa76jdESJd9/cndMpy/hhfd9ng3N2Lzvogy
3YCU3Lw6H7BB7CxGAZ3cYAEcHYGxiJPPjkB3zFootKy2WIAngjC2a/O+2nlDPs7SWX3ktvM95YBv
0Fi0njlZ1kTwRPIjbQLQ4x/KcnCd3GhpM0sF96avuGI7a/xrMNz7zC79XEXCrd1HIlYE4+bzcnXn
TxReDu1l56CLxlWozBV/dmPubtKMTZnQs0iH/oWs1I5YiIfQu69ozaFGJZfw8MBTbrivtue8EczM
PPo=
=FVpm
-----END PGP SIGNATURE-----




Attachment: None (type=text/plain)
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds