SUSE has issued an advisory today (March 19):
I believe the issue is fixed upstream in 1.40.0.
The updated packages fix a security vulnerability:
An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass "example.com" matchers. (CVE-2019-18802)
Updated packages in core/updates_testing:
CVE description describes envoy, not nghttp2. How about this:
Updated nghttp2 packages fix security vulnerability:
Malformed request header may cause route matchers or access controls to be
bypassed, resulting in escalation of privileges or information disclosure
MGA7-64 Plasma on Lenovo B50
No installation issues.
Testing as in bug 25424, giving exactly the same results (commands and feedback identical).
So OK for me.
Validating. Best advisory is in Comment 2.
An update for this issue has been pushed to the Mageia Updates repository.