Security update for nghttp2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20002-1 Final 1 1 2025-02-03T08:46:07Z current 2025-02-03T08:46:07Z 2025-02-03T08:46:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nghttp2 This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-18 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520002-1/ Link for SUSE-SU-2025:20002-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021393.html E-Mail link for SUSE-SU-2025:20002-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1221399 SUSE Bug 1221399 https://www.suse.com/security/cve/CVE-2024-28182/ SUSE CVE CVE-2024-28182 page SUSE Linux Micro 6.0 libnghttp2-14-1.52.0-5.1 libnghttp2-14-1.52.0-5.1 as a component of SUSE Linux Micro 6.0 nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability. CVE-2024-28182 SUSE Linux Micro 6.0:libnghttp2-14-1.52.0-5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520002-1/ https://www.suse.com/security/cve/CVE-2024-28182.html CVE-2024-28182 https://bugzilla.suse.com/1221399 SUSE Bug 1221399