Debian 10261 Published by

A nghttp2 security update has been released for Debian GNU/Linux 9 Extended LTS to address a flaw in the HTTP2 protocol that allows an attacker to rapidly create and cancel streams.



ELA-984-1 nghttp2 security update

Package : nghttp2
Version : 1.18.1-1+deb9u3 (stretch)

Related CVEs :
CVE-2023-44487

CVE-2023-44487 describes a flaw in the HTTP2 protocol that allows an attacker to rapidly create and cancel streams by sending a HEADERS frame
immediately followed by a RST_STREAM. This can cause a denial of service due to resource exhaustion.
The applied patches mitigate this flaw by rate limiting the cancellation of streams and disconnecting the client when this limit is exceeded.

ELA-984-1 nghttp2 security update