libnghttp2-14-1.43.0-1.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11091-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libnghttp2-14-1.43.0-1.6 on GA media These are all security issues fixed in the libnghttp2-14-1.43.0-1.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11091 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-1000168/ SUSE CVE CVE-2018-1000168 page https://www.suse.com/security/cve/CVE-2019-9511/ SUSE CVE CVE-2019-9511 page https://www.suse.com/security/cve/CVE-2020-11080/ SUSE CVE CVE-2020-11080 page openSUSE Tumbleweed libnghttp2-14-1.43.0-1.6 libnghttp2-14-32bit-1.43.0-1.6 libnghttp2-devel-1.43.0-1.6 libnghttp2_asio-devel-1.43.0-1.6 libnghttp2_asio1-1.43.0-1.6 libnghttp2_asio1-32bit-1.43.0-1.6 nghttp2-1.43.0-1.6 libnghttp2-14-1.43.0-1.6 as a component of openSUSE Tumbleweed libnghttp2-14-32bit-1.43.0-1.6 as a component of openSUSE Tumbleweed libnghttp2-devel-1.43.0-1.6 as a component of openSUSE Tumbleweed libnghttp2_asio-devel-1.43.0-1.6 as a component of openSUSE Tumbleweed libnghttp2_asio1-1.43.0-1.6 as a component of openSUSE Tumbleweed libnghttp2_asio1-32bit-1.43.0-1.6 as a component of openSUSE Tumbleweed nghttp2-1.43.0-1.6 as a component of openSUSE Tumbleweed nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1. CVE-2018-1000168 openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6 openSUSE Tumbleweed:nghttp2-1.43.0-1.6 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000168.html CVE-2018-1000168 https://bugzilla.suse.com/1088639 SUSE Bug 1088639 https://bugzilla.suse.com/1097401 SUSE Bug 1097401 Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CVE-2019-9511 openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6 openSUSE Tumbleweed:nghttp2-1.43.0-1.6 important 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9511.html CVE-2019-9511 https://bugzilla.suse.com/1145579 SUSE Bug 1145579 https://bugzilla.suse.com/1146091 SUSE Bug 1146091 https://bugzilla.suse.com/1146182 SUSE Bug 1146182 https://bugzilla.suse.com/1193427 SUSE Bug 1193427 https://bugzilla.suse.com/1202787 SUSE Bug 1202787 In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. CVE-2020-11080 openSUSE Tumbleweed:libnghttp2-14-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2-14-32bit-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2-devel-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2_asio-devel-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2_asio1-1.43.0-1.6 openSUSE Tumbleweed:libnghttp2_asio1-32bit-1.43.0-1.6 openSUSE Tumbleweed:nghttp2-1.43.0-1.6 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-11080.html CVE-2020-11080 https://bugzilla.suse.com/1172441 SUSE Bug 1172441 https://bugzilla.suse.com/1172442 SUSE Bug 1172442 https://bugzilla.suse.com/1181358 SUSE Bug 1181358