https://httpd.apache.org/security/vulnerabilities_24.html https://nowotarski.info/http2-continuation-flood/ Not only apache, also tomcat, golang, nghttp2 are affected. Apache: https://access.redhat.com/security/cve/cve-2024-27316 Tomcat: https://access.redhat.com/security/cve/cve-2024-24549
CVE: (none) => CVE-2024-2653,CVE-2024-27316,CVE-2024-24549,CVE-2024-28182,CVE-2023-45288
Depends on: (none) => 33059
For Apache, the issue was fixed in bug 33059. For Tomcat, the issue was fixed in bug 32980. For golang, the issue is described in bug 33068. For nghttp2, the link above says it affects versions <= 1.29.2 and, for Mageia 9, the version is 1.54.0, so it seems the problem is already fixed.
CC: (none) => nicolas.salgueroDepends on: (none) => 32980, 33068
(In reply to Nicolas Salguero from comment #1) > For nghttp2, the link above says it affects versions <= 1.29.2 and, for > Mageia 9, the version is 1.54.0, so it seems the problem is already fixed. Ooops, I read the wrong line. Versions of nghttp2 <= 1.60.0 are affected by CVE-2024-28182.
pushed nghttp2 for mga9 build. Should we file bugs for each package? -tomcat -nghttp2 -golang -nodejs
Node.js 2024-01-15 <=18.20.0, <=20.12.0, <=21.7.1 CVE-2024-27983
For completeness: - For h2 Rust crate, the issue is described in bug 33060. - For nodejs, the issue was fixed in bug 33055.
Depends on: (none) => 33060, 33055
(In reply to Marc Krämer from comment #3) > Should we file bugs for each package? > > -tomcat > -nghttp2 > -golang > -nodejs Yes, in that case, we created one bug per package.
So this bug can be use to handle nghttp2.
CVE: CVE-2024-2653,CVE-2024-27316,CVE-2024-24549,CVE-2024-28182,CVE-2023-45288 => CVE-2024-28182Source RPM: apache => nghttp2-1.54.0-1.mga9.src.rpmSee Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33060
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33068
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=32980
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33055
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33059
Depends on: 33060, 33068, 32980, 33055, 33059 => (none)
Summary: Security: http2 continuation flood => nghttp2 new security issue CVE-2024-28182 (HTTP/2 CONTINUATION Flood)
Updated nghttp2 packages fix security vulnerabilities: nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. This update fixes the issue. This is the latest release, which will bring some more fixes and improvements. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28182 https://nowotarski.info/http2-continuation-flood/ https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q ======================== Updated packages in core/updates_testing: ======================== nghttp2-1.61.0-1.mga9 lib64nghttp2_14-1.61.0-1.mga9 lib64nghttp2-devel-1.61.0-1.mga9 lib64nghttp2_14-debuginfo-1.61.0-1.mga9 nghttp2-debugsource-1.61.0-1.mga9 Source RPMs: nghttp2-1.61.0-1.mga9.src.rpm
Assignee: bugsquad => qa-bugs
Keywords: (none) => advisory
RH maheia 9 x86_64 LC_ALL=C urpmi nghttp2 lib64nghttp2_14 lib64nghttp2-devel installing nghttp2-1.61.0-1.mga9.x86_64.rpm lib64nghttp2_14-1.61.0-1.mga9.x86_64.rpm lib64nghttp2-devel-1.61.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: lib64nghttp2_14 ################################################################################################## 2/3: lib64nghttp2-devel ################################################################################################## 3/3: nghttp2 ################################################################################################## 1/2: removing lib64nghttp2-devel-1.54.0-1.mga9.x86_64 ################################################################################################## 2/2: removing lib64nghttp2_14-1.54.0-1.mga9.x86_64 ################################################################################################## Reference https://bugs.mageia.org/show_bug.cgi?id=25424#c3 Something have changed from that, I can't reproduce the test, some missing files nghttp -bash: nghttp: orden no encontrada urpmq -pil nghttp2 Name : nghttp2 Version : 1.61.0 Release : 1.mga9 Group : System/Libraries Size : 43815 Architecture: x86_64 Source RPM : nghttp2-1.61.0-1.mga9.src.rpm Build Host: localhost Packager : mokraemer <mokraemer> URL : https://nghttp2.org/ Summary : Experimental HTTP/2 client, server and proxy Description : This package contains the HTTP/2 client, server and proxy programs. /usr/share/man/man1/h2load.1.xz /usr/share/man/man1/nghttp.1.xz /usr/share/man/man1/nghttpd.1.xz /usr/share/man/man1/nghttpx.1.xz /usr/share/nghttp2 /usr/share/nghttp2/fetch-ocsp-response Name : nghttp2 Version : 1.54.0 Release : 1.mga9 Group : System/Libraries Size : 43664 Architecture: x86_64 Source RPM : nghttp2-1.54.0-1.mga9.src.rpm URL : https://nghttp2.org/ Summary : Experimental HTTP/2 client, server and proxy Description : This package contains the HTTP/2 client, server and proxy programs. /usr/share/man/man1/h2load.1.xz /usr/share/man/man1/nghttp.1.xz /usr/share/man/man1/nghttpd.1.xz /usr/share/man/man1/nghttpx.1.xz /usr/share/nghttp2 /usr/share/nghttp2/fetch-ocsp-response So the missing files not exist, neither current package nor testing package
Keywords: (none) => feedback
In fedora package https://fedora.pkgs.org/rawhide/fedora-x86_64/nghttp2-1.61.0-1.fc41.x86_64.rpm.html the missing files are listed, so is a packaging issue in mageia
Keywords: feedback => (none)CC: (none) => andrewsfarm
Searching by myself, looks that mageia not have all the required libraries to build the binaries. So give OK in base a clean install
Whiteboard: (none) => MGA9-64-OK
So, we check for what uses the library: (Removing duplicates) $ urpmq --whatrequires lib64nghttp2_14 apache-mod_http2 bind lib64bind9.18.15 lib64curl4 lib64gpac12 lib64nghttp2-devel lib64nghttp2_14 lib64soup3.0_0 lib64wget1 lib64wireshark16 And, $ urpmq --whatrequires-recursive lib64nghttp2_14 gives a very, very long list. We should at least test one or more of them with strace to see if they still work, and that file(s) from the library have been accessed. Removing the OK, for now.
Whiteboard: MGA9-64-OK => (none)
I sent the recursive list of what requires the library to a text file, and a list of what doesn't use it in some fashion would be shorter. So, if the update installs cleanly, and the system shows no ill effects afterward when used for a period of time, that should be enough. Restoring the 64-bit OK. But, because it is so basic to Mageia operation, before validating we'll need a 32-bit test, as well.
On Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics, ath3 wifi, MGA9-32 Xfce4. Used qarepo to go after the packages, except for debug, but libnghttp2_14 was the only one that updated. No installation issues. Rebooted, checked for updates again, installed a couple of games to exercise curl and/or wget, no issues to report. Giving this a 32-bit OK, and validating.
Keywords: (none) => validated_updateWhiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0135.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED