RedHat has issued an advisory on September 9: https://access.redhat.com/errata/RHSA-2019:2692 The issue is fixed upstream in 1.39.2. The RedHat bugs have links and information about the commit(s) that fixed it. Mageia 6 is also affected.
Status comment: (none) => Fixed upstream in 1.39.2Whiteboard: (none) => MGA6TOO
Assigning globally as this pkg has no maintainer; I would have CC'd oden but am not sure that he is still active with us.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. (CVE-2019-9511) Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. (CVE-2019-9513) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513 https://access.redhat.com/errata/RHSA-2019:2692 ======================== Updated packages in 6/core/updates_testing: ======================== nghttp2-1.9.2-1.1.mga6 lib(64)nghttp2_14-1.9.2-1.1.mga6 lib(64)nghttp2-devel-1.9.2-1.1.mga6 from SRPMS: nghttp2-1.9.2-1.1.mga6.src.rpm Updated packages in 7/core/updates_testing: ======================== nghttp2-1.38.0-1.1.mga7 lib(64)nghttp2_14-1.38.0-1.1.mga7 lib(64)nghttp2-devel-1.38.0-1.1.mga7 from SRPMS: nghttp2-1.38.0-1.1.mga7.src.rpm
CC: (none) => nicolas.salgueroCVE: (none) => CVE-2019-9511, CVE-2019-9513Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
MGA6-64 Plasma on Lenovo B50 No installation issues No wiki, no previous updates. Found https://nghttp2.org/documentation/package_README.html#unit-tests and tried some commands after stopping httpd: nghttp -nv https://nghttp2.org [ 0.298] Connected The negotiated protocol: h2 [ 0.913] recv SETTINGS frame <length=24, flags=0x00, stream_id=0> (niv=3) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [SETTINGS_INITIAL_WINDOW_SIZE(0x04):1048576] [SETTINGS_HEADER_TABLE_SIZE(0x01):8192] [ 0.913] send SETTINGS frame <length=12, flags=0x00, stream_id=0> (niv=2) and a load more, seems OK. $ nghttpd --no-tls -v 8080 IPv4: listen 0.0.0.0:8080 IPv6: listen :::8080 [id=1] [ 11.365] send SETTINGS frame <length=6, flags=0x00, stream_id=0> (niv=1) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] and some more, cannn't see anything wrong there BUT pointing the browser to http://localhost:8080 just shows some unreadeble chararcters, while https://localhost:8080 returns "Secure connection failed" trying the client against the running server $ nghttp -nv https://localhost:8080/ [ 0.000] Connected Some requests were not processed. total=1, processed=0 Giving up here, I guess the server needs more configuration.
CC: (none) => herman.viaene
Keywords: (none) => advisoryCC: (none) => tmb
mga7, x86_64 Installed the core packages and experimented, following the leads in comment 3. Similar results - could take it no further. Updated the three packages from testing and ran the same commands but left apache running. $ nghttp -nv https://nghttp2.org [ 0.390] Connected The negotiated protocol: h2 [ 0.925] recv SETTINGS frame <length=24, flags=0x00, stream_id=0> (niv=4) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [...] [ 1.778] send GOAWAY frame <length=8, flags=0x00, stream_id=0> (last_stream_id=2, error_code=NO_ERROR(0x00), opaque_data(0)=[]) $ nghttpd --no-tls -v 8080 IPv4: listen 0.0.0.0:8080 IPv6: listen :::8080 <...waiting...> [id=1] [ 53.866] send SETTINGS frame <length=6, flags=0x00, stream_id=0> (niv=1) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [id=1] [ 53.866] closed [id=2] [145.322] send SETTINGS frame <length=6, flags=0x00, stream_id=0> (niv=1) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [id=2] [145.322] closed <...then...> [id=5] [267.329] send SETTINGS frame <length=6, flags=0x00, stream_id=0> (niv=1) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [id=5] [267.330] closed In another terminal $ nghttp -nv https://localhost:8080/ [ 0.011] Connected Some requests were not processed. total=1, processed=0 There was activity in the terminal running the server and further activity when port 8080 was opened in a browser (which displayed binary data). Killed the server and restarted it in daemon mode. $ nghttpd -D -d /home/lcl --no-tls -v 8080 $ In a browser binary data was displayed again at localhost:8080/. Killed the server via the PID. $ ps ax | grep nghttpd 24029 ? Ss 0:00 nghttpd -D -d /home/lcl --no-tls -v 8080 $ zap 24029 As best we can tell it looks like it works at a basic level.
CC: (none) => tarazed25Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
Giving this an MGA6 OK based on Herman's test, and validating.
Keywords: (none) => validated_updateWhiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0291.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED