Bug 26725

Advisory
========

Upstream has issued two patches that fixes CVE-2020-11080.

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.

References
==========

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr

Files
=====

Uploaded to core/updates_testing

lib64nghttp2-devel-1.40.0-1.1.mga7
lib64nghttp2_14-1.40.0-1.1.mga7
lib64nghttp2_14-debuginfo-1.40.0-1.1.mga7
nghttp2-1.40.0-1.1.mga7

from nghttp2-1.40.0-1.1.mga7.src.rpm

Assignee: smelror => qa-bugs

The current version of nghttp2 in Mageia 7 is 1.38.0.

We updated it to 1.40.0 for the nodejs update.  Since we're updating it anyway, is there a reason to not just update it to 1.41.0?

Summary: nghttp2 CVE-2020-11080 => nghttp2 new security issue CVE-2020-11080
Source RPM: (none) => nghttp2-1.38.0-1.2.mga7.src.rpm
Keywords: (none) => feedback

I was considering this, however was worried about compatibility with NodeJS.

We had to update it to at least 1.39.0 for compatibility with nodejs, and the newest nodejs we have to update to, the upstream build of it bundles 1.41.0, so for compatibility we'd be better off updating it.

CC: (none) => luigiwalser

Thanks. I'll push 1.41.0 to mga7.

Cheers,
Stig

Advisory
========

nghttp2 has been updated to version 1.41.0 to fix CVE-2020-11080.

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.

References
==========

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr

Files
=====

Uploaded to core/updates_testing

lib64nghttp2-devel-1.41.0-1.mga7
lib64nghttp2_14-1.41.0-1.mga7
nghttp2-1.41.0-1.mga7

from nghttp2-1.41.0-1.mga7.src.rpm

Keywords: feedback => (none)

References should also include:
https://github.com/nghttp2/nghttp2/releases/tag/v1.39.0
https://github.com/nghttp2/nghttp2/releases/tag/v1.39.1
https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2
https://github.com/nghttp2/nghttp2/releases/tag/v1.40.0
https://github.com/nghttp2/nghttp2/releases/tag/v1.41.0

Advisory
========

nghttp2 has been updated to version 1.41.0 to fix CVE-2020-11080.

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.

References
==========

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
https://github.com/nghttp2/nghttp2/releases/tag/v1.39.0
https://github.com/nghttp2/nghttp2/releases/tag/v1.39.1
https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2
https://github.com/nghttp2/nghttp2/releases/tag/v1.40.0
https://github.com/nghttp2/nghttp2/releases/tag/v1.41.0

Files
=====

Uploaded to core/updates_testing

lib64nghttp2-devel-1.41.0-1.mga7
lib64nghttp2_14-1.41.0-1.mga7
nghttp2-1.41.0-1.mga7

from nghttp2-1.41.0-1.mga7.src.rpm

MGA7-64 Plasma on Lenovo B50
No installation issues.
Testing as in bug 25424, giving exactly the same results (commands and feedback identical).
So OK for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Validating. Advisory in Comment 8.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0256.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED