First Last Prev Next    This bug is not in your last search results.
Bug 960576 - (CVE-2015-8659) VUL-0: CVE-2015-8659 nghttp2: heap-use-after-free flaw in idle stream handling code
(CVE-2015-8659)
VUL-0: CVE-2015-8659 nghttp2: heap-use-after-free flaw in idle stream handlin...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.1
: P3 - Medium : Normal
: ---
Assigned To: Martin Pluskal
Security Team bot
https://smash.suse.de/issue/160069/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-04 12:52 UTC by Johannes Segitz
Modified: 2016-01-07 08:41 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-04 12:52:37 UTC 
rh#1295351

1.6.0 fixes heap-use-after-free bug in idle stream handling code.

Factory already has the fix.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1295351
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8659
http://seclists.org/oss-sec/2015/q4/576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8659
Comment 1 Swamp Workflow Management 2016-01-04 23:00:39 UTC 
bugbot adjusting priority
Comment 2 Martin Pluskal 2016-01-06 14:12:19 UTC 
Hmm it my understanding that mentioned issue is solved by https://github.com/tatsuhiro-t/nghttp2/commit/f8c30d022982d089fb90543c0cd5628b161d065d , which also means that openSUSE:Leap (nghttp2-1.3.4) is not affected since affected code was introduced in later version.
Comment 3 Johannes Segitz 2016-01-07 08:41:44 UTC 
(In reply to Martin Pluskal from comment #2)
I went by the version number and didn't check the source for this issue. So then we don't have to do an update, thanks for looking into this.
First Last Prev Next    This bug is not in your last search results.