Debian 10225 Published by

A nghttp2 security update has been released for Debian GNU/Linux 9 Extended LTS to address a flaw in the HTTP2 protocol.



ELA-984-1 nghttp2 security update

Package : nghttp2
Version : 1.18.1-1+deb9u3 (stretch)

Related CVEs :
CVE-2023-44487

CVE-2023-44487 describes flaw in the HTTP2 protocol allows an attacker to rapidly creating and cancelling streams by sending a HEADERS frame
immediately followed by a RST_STREAM. This can cause a denial of service due to resource exhaustion.
The applied patches mitigates this flaw by rate limiting the cancellation of streams and disconnect the client when this limits are exceeded.

ELA-984-1 nghttp2 security update