Bugzilla – Bug 1221399
VUL-0: CVE-2024-28182: nghttp2: HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Last modified: 2024-05-22 10:21:45 UTC
via VINCE CVE: CVE-2024-28182 ID: VU#421644.5 Case: VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks Date Added: 2024-03-08 Description: An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.
CRD: 2024-03-28
CRD: 2024-04-04 i browsed over the discussion thread and they had no patches for nghttp2.
ok, thanks
still no patch in the VINCE issue.
(In reply to Marcus Meissner from comment #6) > still no patch in the VINCE issue. Thanks for the update Marcus
Created attachment 874022 [details] nghttp2-patch.tar.gz nghttp2-patch.tar.gz attached to VINCE report over night.
Submitted for 15sp2,15sp1-caasp,15,12sp2.
is public https://kb.cert.org/vuls/id/421644 they redid the patchset.
Request into devel project https://build.opensuse.org/request/show/1164552
Created attachment 874051 [details] nghttp2-patch-2nd.tar.gz nghttp2-patch-2nd.tar.gz from VINCE
diff seems: -+ session->max_continuations = 0; ++ session->num_continuations = 0;
I have resubmitted to 15sp2,15sp1-caasp,15,12sp2. 15sp6 has branched nghttp2, but same sources as 15sp2. This could have been de-branched? Also submitted for ALP: https://build.suse.de/request/show/325387 not sure whether this will fly in this point of time. Let me know in case I should resubmit somewhere else.
Factory submission: https://build.opensuse.org/request/show/1164560
SUSE-SU-2024:1156-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1221399 CVE References: CVE-2024-28182 Maintenance Incident: [SUSE:Maintenance:33198](https://smelt.suse.de/incident/33198/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): nghttp2-1.39.2-3.18.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): nghttp2-1.39.2-3.18.1 SUSE Linux Enterprise Server 12 SP5 (src): nghttp2-1.39.2-3.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): nghttp2-1.39.2-3.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1167-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1221399 CVE References: CVE-2024-28182 Maintenance Incident: [SUSE:Maintenance:33194](https://smelt.suse.de/incident/33194/) Sources used: openSUSE Leap Micro 5.3 (src): nghttp2-1.40.0-150200.17.1 openSUSE Leap Micro 5.4 (src): nghttp2-1.40.0-150200.17.1 openSUSE Leap 15.5 (src): nghttp2-python-1.40.0-150200.17.1, nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Micro 5.3 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Micro 5.4 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Micro 5.5 (src): nghttp2-1.40.0-150200.17.1 Basesystem Module 15-SP5 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): nghttp2-1.40.0-150200.17.1 SUSE Manager Proxy 4.3 (src): nghttp2-1.40.0-150200.17.1 SUSE Manager Retail Branch Server 4.3 (src): nghttp2-1.40.0-150200.17.1 SUSE Manager Server 4.3 (src): nghttp2-1.40.0-150200.17.1 SUSE Enterprise Storage 7.1 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Micro 5.1 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Micro 5.2 (src): nghttp2-1.40.0-150200.17.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): nghttp2-1.40.0-150200.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Submitted also for 15sp6: https://build.suse.de/request/show/325784
I believe all fixed. If something missing, please reassign directly to me.
SUSE:SLFO:Main https://build.suse.de/request/show/329896
It was declined with this reason: gleidi declined review 5 days ago Moved to SUSE:SLFO:Main with request https://build.suse.de/request/show/329896 So should I just reopen?
yes please.
SUSE:ALP:Source:Standard:1.0 https://build.suse.de/request/show/325387 was reopened.