| Summary: | nghttp2 new security issues CVE-2019-9511 and CVE-2019-9513 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6TOO MGA6-64-OK MGA7-64-OK | ||
| Source RPM: | nghttp2-1.38.0-1.mga7.src.rpm | CVE: | CVE-2019-9511, CVE-2019-9513 |
| Status comment: | Fixed upstream in 1.39.2 | ||
|
Description
David Walser
2019-09-10 16:54:37 CEST
David Walser
2019-09-10 16:54:48 CEST
Status comment:
(none) =>
Fixed upstream in 1.39.2 Assigning globally as this pkg has no maintainer; I would have CC'd oden but am not sure that he is still active with us. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix security vulnerabilities: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. (CVE-2019-9511) Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. (CVE-2019-9513) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513 https://access.redhat.com/errata/RHSA-2019:2692 ======================== Updated packages in 6/core/updates_testing: ======================== nghttp2-1.9.2-1.1.mga6 lib(64)nghttp2_14-1.9.2-1.1.mga6 lib(64)nghttp2-devel-1.9.2-1.1.mga6 from SRPMS: nghttp2-1.9.2-1.1.mga6.src.rpm Updated packages in 7/core/updates_testing: ======================== nghttp2-1.38.0-1.1.mga7 lib(64)nghttp2_14-1.38.0-1.1.mga7 lib(64)nghttp2-devel-1.38.0-1.1.mga7 from SRPMS: nghttp2-1.38.0-1.1.mga7.src.rpm CC:
(none) =>
nicolas.salguero MGA6-64 Plasma on Lenovo B50 No installation issues No wiki, no previous updates. Found https://nghttp2.org/documentation/package_README.html#unit-tests and tried some commands after stopping httpd: nghttp -nv https://nghttp2.org [ 0.298] Connected The negotiated protocol: h2 [ 0.913] recv SETTINGS frame <length=24, flags=0x00, stream_id=0> (niv=3) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [SETTINGS_INITIAL_WINDOW_SIZE(0x04):1048576] [SETTINGS_HEADER_TABLE_SIZE(0x01):8192] [ 0.913] send SETTINGS frame <length=12, flags=0x00, stream_id=0> (niv=2) and a load more, seems OK. $ nghttpd --no-tls -v 8080 IPv4: listen 0.0.0.0:8080 IPv6: listen :::8080 [id=1] [ 11.365] send SETTINGS frame <length=6, flags=0x00, stream_id=0> (niv=1) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] and some more, cannn't see anything wrong there BUT pointing the browser to http://localhost:8080 just shows some unreadeble chararcters, while https://localhost:8080 returns "Secure connection failed" trying the client against the running server $ nghttp -nv https://localhost:8080/ [ 0.000] Connected Some requests were not processed. total=1, processed=0 Giving up here, I guess the server needs more configuration. CC:
(none) =>
herman.viaene
Thomas Backlund
2019-09-21 16:30:13 CEST
Keywords:
(none) =>
advisory mga7, x86_64 Installed the core packages and experimented, following the leads in comment 3. Similar results - could take it no further. Updated the three packages from testing and ran the same commands but left apache running. $ nghttp -nv https://nghttp2.org [ 0.390] Connected The negotiated protocol: h2 [ 0.925] recv SETTINGS frame <length=24, flags=0x00, stream_id=0> (niv=4) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [...] [ 1.778] send GOAWAY frame <length=8, flags=0x00, stream_id=0> (last_stream_id=2, error_code=NO_ERROR(0x00), opaque_data(0)=[]) $ nghttpd --no-tls -v 8080 IPv4: listen 0.0.0.0:8080 IPv6: listen :::8080 <...waiting...> [id=1] [ 53.866] send SETTINGS frame <length=6, flags=0x00, stream_id=0> (niv=1) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [id=1] [ 53.866] closed [id=2] [145.322] send SETTINGS frame <length=6, flags=0x00, stream_id=0> (niv=1) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [id=2] [145.322] closed <...then...> [id=5] [267.329] send SETTINGS frame <length=6, flags=0x00, stream_id=0> (niv=1) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [id=5] [267.330] closed In another terminal $ nghttp -nv https://localhost:8080/ [ 0.011] Connected Some requests were not processed. total=1, processed=0 There was activity in the terminal running the server and further activity when port 8080 was opened in a browser (which displayed binary data). Killed the server and restarted it in daemon mode. $ nghttpd -D -d /home/lcl --no-tls -v 8080 $ In a browser binary data was displayed again at localhost:8080/. Killed the server via the PID. $ ps ax | grep nghttpd 24029 ? Ss 0:00 nghttpd -D -d /home/lcl --no-tls -v 8080 $ zap 24029 As best we can tell it looks like it works at a basic level. CC:
(none) =>
tarazed25 Giving this an MGA6 OK based on Herman's test, and validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0291.html Resolution:
(none) =>
FIXED |