Ubuntu alert USN-6754-1 (nghttp2)
| From: | Fabian Toepfer <fabian.toepfer@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-6754-1] nghttp2 vulnerabilities | |
| Date: | Fri, 26 Apr 2024 00:29:53 +0200 | |
| Message-ID: | <4e273b71-80eb-4fcb-beaa-e3b34ee8a045@canonical.com> |
========================================================================== Ubuntu Security Notice USN-6754-1 April 25, 2024 nghttp2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in nghttp2. Software Description: - nghttp2: HTTP/2 C Library and tools Details: It was discovered that nghttp2 incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511, CVE-2019-9513) It was discovered that nghttp2 incorrectly handled request cancellation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487) It was discovered that nghttp2 could be made to process an unlimited number of HTTP/2 CONTINUATION frames. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. (CVE-2024-28182) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libnghttp2-14 1.55.1-1ubuntu0.2 nghttp2 1.55.1-1ubuntu0.2 nghttp2-client 1.55.1-1ubuntu0.2 nghttp2-proxy 1.55.1-1ubuntu0.2 nghttp2-server 1.55.1-1ubuntu0.2 Ubuntu 22.04 LTS: libnghttp2-14 1.43.0-1ubuntu0.2 nghttp2 1.43.0-1ubuntu0.2 nghttp2-client 1.43.0-1ubuntu0.2 nghttp2-proxy 1.43.0-1ubuntu0.2 nghttp2-server 1.43.0-1ubuntu0.2 Ubuntu 20.04 LTS: libnghttp2-14 1.40.0-1ubuntu0.3 nghttp2 1.40.0-1ubuntu0.3 nghttp2-client 1.40.0-1ubuntu0.3 nghttp2-proxy 1.40.0-1ubuntu0.3 nghttp2-server 1.40.0-1ubuntu0.3 Ubuntu 18.04 LTS (Available with Ubuntu Pro): libnghttp2-14 1.30.0-1ubuntu1+esm2 nghttp2 1.30.0-1ubuntu1+esm2 nghttp2-client 1.30.0-1ubuntu1+esm2 nghttp2-proxy 1.30.0-1ubuntu1+esm2 nghttp2-server 1.30.0-1ubuntu1+esm2 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libnghttp2-14 1.7.1-1ubuntu0.1~esm2 nghttp2 1.7.1-1ubuntu0.1~esm2 nghttp2-client 1.7.1-1ubuntu0.1~esm2 nghttp2-proxy 1.7.1-1ubuntu0.1~esm2 nghttp2-server 1.7.1-1ubuntu0.1~esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6754-1 CVE-2019-9511, CVE-2019-9513, CVE-2023-44487, CVE-2024-28182 Package Information: https://launchpad.net/ubuntu/+source/nghttp2/1.55.1-1ubun... https://launchpad.net/ubuntu/+source/nghttp2/1.43.0-1ubun... https://launchpad.net/ubuntu/+source/nghttp2/1.40.0-1ubun...
Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmYq2WEFAwAAAAAACgkQCAvK1QvD6SCJ axAAxBNnOQJivOjjX38UUZUf+7FOkcHYumUJcOaDxu5sVqMiOJ3TiBBcLon17vKIBD9E+tH3i7oM jv3LKNV5/TSBlUz+bVeZTVX6ASy9ZpDv+1M5cT9NmSwymR7hqOXaxyQuyHMtPWjyP+vBOi90DGix hnLmcFrLKaMjy3PcDOfMmwm5nTvN5K5KebIesSOxUM8zjcNXoR6pD5TlLaNL4XDmjmcisGiG2EUd Z3FS1QiiR9SipcJIF8dbjeKgbAokHN83ObaVICyH8SDgKY3skiDLn5RGfhyekQe2A33/4eSeFUjw 7ZrRrYI5bRPixC709KLY/ZnJLtOq8fKGvhhsdhZRPu8RpZnYMyj42h2K4lEs1MkiJgCBaEWNXcbT BhkUC2a3l5sZacbhaNxVawikwemGTJoSCipmw5LvyHCUt1FTA4mil9sWNELcO/wTt8y6qGyvkJ8u JJ+xDplNTsij4Ak43sS07/fi3+Iy9Rn7fPgkHobcWihivGyZ6E0/yA+JQQxmhpGfnrOav5VAcUw4 W5j///8ViD+zKUMlFvmIS7X2r/H6Ch1HxqHS1sHjSYNCyzJqc9tcwPBCo566UC1MGj1bPpJ2HsKp 529dego8AVvj9p+4Q9IxdpO5NJbG1nL828AHHOcSzNtVzWkalBwISO1P3Dq+iwHZemqIfWcz/tx4 r1U= =Pxdl -----END PGP SIGNATURE-----
Attachment: None (type=text/plain)