Upstream has issued an update and 2 patches that fixes CVE-2020-11080. Cauldron has version 1.41.0 which includes these fixes.
Advisory ======== Upstream has issued two patches that fixes CVE-2020-11080. The overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. References ========== https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr Files ===== Uploaded to core/updates_testing lib64nghttp2-devel-1.40.0-1.1.mga7 lib64nghttp2_14-1.40.0-1.1.mga7 lib64nghttp2_14-debuginfo-1.40.0-1.1.mga7 nghttp2-1.40.0-1.1.mga7 from nghttp2-1.40.0-1.1.mga7.src.rpm
Assignee: smelror => qa-bugs
The current version of nghttp2 in Mageia 7 is 1.38.0. We updated it to 1.40.0 for the nodejs update. Since we're updating it anyway, is there a reason to not just update it to 1.41.0?
Summary: nghttp2 CVE-2020-11080 => nghttp2 new security issue CVE-2020-11080Source RPM: (none) => nghttp2-1.38.0-1.2.mga7.src.rpmKeywords: (none) => feedback
Blocks: (none) => 25314
I was considering this, however was worried about compatibility with NodeJS.
We had to update it to at least 1.39.0 for compatibility with nodejs, and the newest nodejs we have to update to, the upstream build of it bundles 1.41.0, so for compatibility we'd be better off updating it.
CC: (none) => luigiwalser
Thanks. I'll push 1.41.0 to mga7. Cheers, Stig
Advisory ======== nghttp2 has been updated to version 1.41.0 to fix CVE-2020-11080. The overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. References ========== https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr Files ===== Uploaded to core/updates_testing lib64nghttp2-devel-1.41.0-1.mga7 lib64nghttp2_14-1.41.0-1.mga7 nghttp2-1.41.0-1.mga7 from nghttp2-1.41.0-1.mga7.src.rpm
Keywords: feedback => (none)
References should also include: https://github.com/nghttp2/nghttp2/releases/tag/v1.39.0 https://github.com/nghttp2/nghttp2/releases/tag/v1.39.1 https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2 https://github.com/nghttp2/nghttp2/releases/tag/v1.40.0 https://github.com/nghttp2/nghttp2/releases/tag/v1.41.0
Advisory ======== nghttp2 has been updated to version 1.41.0 to fix CVE-2020-11080. The overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. References ========== https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr https://github.com/nghttp2/nghttp2/releases/tag/v1.39.0 https://github.com/nghttp2/nghttp2/releases/tag/v1.39.1 https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2 https://github.com/nghttp2/nghttp2/releases/tag/v1.40.0 https://github.com/nghttp2/nghttp2/releases/tag/v1.41.0 Files ===== Uploaded to core/updates_testing lib64nghttp2-devel-1.41.0-1.mga7 lib64nghttp2_14-1.41.0-1.mga7 nghttp2-1.41.0-1.mga7 from nghttp2-1.41.0-1.mga7.src.rpm
MGA7-64 Plasma on Lenovo B50 No installation issues. Testing as in bug 25424, giving exactly the same results (commands and feedback identical). So OK for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 8.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0256.html
Status: NEW => RESOLVEDResolution: (none) => FIXED