------------------------------------------------------------------------- Debian LTS Advisory DLA-3621-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sean Whitton October 16, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : nghttp2 Version : 1.36.0-2+deb10u2 CVE ID : CVE-2020-11080 CVE-2023-44487 Debian Bug : 962145 1053769 Multiple vulnerabilities were discovered in nghttp2, an implementation of the HTTP/2 protocol. CVE-2020-11080 A denial-of-service could be caused by a large HTTP/2 SETTINGS frame payload. CVE-2023-44487 A denial-of-service could be caused by resetting many HTTP/2 streams quickly. This has been observed in the wild since August. For Debian 10 buster, these problems have been fixed in version 1.36.0-2+deb10u2. We recommend that you upgrade your nghttp2 packages. For the detailed security status of nghttp2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nghttp2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature