ELA-984-1 nghttp2 security update
Package : nghttp2
Version : 1.18.1-1+deb9u3 (stretch)
Related CVEs :
CVE-2023-44487
CVE-2023-44487 describes flaw in the HTTP2 protocol allows an attacker to rapidly creating and cancelling streams by sending a HEADERS frame
immediately followed by a RST_STREAM. This can cause a denial of service due to resource exhaustion.
The applied patches mitigates this flaw by rate limiting the cancellation of streams and disconnect the client when this limits are exceeded.
A nghttp2 security update has been released for Debian GNU/Linux 9 Extended LTS to address a flaw in the HTTP2 protocol.