------------------------------------------------------------------------- Debian LTS Advisory DLA-4290-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Daniel Leidert September 02, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : python-h2 Version : 4.0.0-3+deb11u1 CVE ID : CVE-2025-57804 Debian Bug : 1112348 A vulnerability has been discovered in python-h2, a Python HTTP/2 protocol implementation. CVE-2025-57804 HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. For Debian 11 bullseye, this problem has been fixed in version 4.0.0-3+deb11u1. We recommend that you upgrade your python-h2 packages. For the detailed security status of python-h2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-h2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part