Bug 26361 - nghttp2 new security issue CVE-2019-18802
Summary: nghttp2 new security issue CVE-2019-18802
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-03-19 16:18 CET by David Walser
Modified: 2020-04-01 03:58 CEST (History)
4 users (show)

See Also:
Source RPM: nghttp2-1.38.0-1.1.mga7.src.rpm
CVE: CVE-2019-18802
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-03-19 16:18:28 CET 
SUSE has issued an advisory today (March 19):
http://lists.suse.com/pipermail/sle-security-updates/2020-March/006627.html

I believe the issue is fixed upstream in 1.40.0.
Comment 1 Nicolas Salguero 2020-03-20 13:53:32 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass "example.com" matchers. (CVE-2019-18802)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802
http://lists.suse.com/pipermail/sle-security-updates/2020-March/006627.html
========================

Updated packages in core/updates_testing:
========================
nghttp2-1.38.0-1.2.mga7
lib(64)nghttp2_14-1.38.0-1.2.mga7
lib(64)nghttp2-devel-1.38.0-1.2.mga7

from SRPMS:
nghttp2-1.38.0-1.2.mga7.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-18802
Assignee: nicolas.salguero => qa-bugs

Comment 2 David Walser 2020-03-20 13:56:13 CET 
CVE description describes envoy, not nghttp2.  How about this:

Suggested advisory:
========================

Updated nghttp2 packages fix security vulnerability:

Malformed request header may cause route matchers or access controls to be
bypassed, resulting in escalation of privileges or information disclosure
(CVE-2019-18802).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802
http://lists.suse.com/pipermail/sle-security-updates/2020-March/006627.html
Comment 3 Herman Viaene 2020-03-21 11:46:30 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Testing as in bug 25424, giving exactly the same results (commands and feedback identical).
So OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-03-22 18:51:13 CET 
Validating. Best advisory is in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2020-03-31 23:17:53 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-04-01 03:58:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0147.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.