Ubuntu Security Notice USN-6754-2

Ubuntu Security Notice USN-6754-2: Posted May 9, 2024; Authored by Ubuntu | Site security.ubuntu.com; Ubuntu Security Notice 6754-2 - USN-6754-1 fixed vulnerabilities in nghttp2. This update provides the corresponding update for Ubuntu 24.04 LTS. It was discovered that nghttp2 incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.; tags | advisory, remote, web, denial of service, vulnerability; systems | linux, ubuntu; advisories | CVE-2019-9513, CVE-2023-44487, CVE-2024-28182; SHA-256 | a626406c69b2c3819d9892a59563e91ef3909ded6eee46f3085c5cbec0e0e54b; Download | Favorite | View

Ubuntu Security Notice USN-6754-2

==========================================================================
Ubuntu Security Notice USN-6754-2
May 07, 2024

nghttp2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in nghttp2.

Software Description:
- nghttp2: HTTP/2 C Library and tools

Details:

USN-6754-1 fixed vulnerabilities in nghttp2. This update provides the
corresponding update for Ubuntu 24.04 LTS.

Original advisory details:

  It was discovered that nghttp2 incorrectly handled the HTTP/2
  implementation. A remote attacker could possibly use this issue to cause
  nghttp2 to consume resources, leading to a denial of service. This issue
  only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511,
  CVE-2019-9513)

  It was discovered that nghttp2 incorrectly handled request cancellation. A
  remote attacker could possibly use this issue to cause nghttp2 to consume
  resources, leading to a denial of service. This issue only affected Ubuntu
  16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)

  It was discovered that nghttp2 could be made to process an unlimited 
number
  of HTTP/2 CONTINUATION frames. A remote attacker could possibly use this
  issue to cause nghttp2 to consume resources, leading to a denial of
  service. (CVE-2024-28182)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
   libnghttp2-14                   1.59.0-1ubuntu0.1
   nghttp2                         1.59.0-1ubuntu0.1
   nghttp2-client                  1.59.0-1ubuntu0.1
   nghttp2-proxy                   1.59.0-1ubuntu0.1
   nghttp2-server                  1.59.0-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-6754-2
   https://ubuntu.com/security/notices/USN-6754-1
   CVE-2024-28182

Package Information:
   https://launchpad.net/ubuntu/+source/nghttp2/1.59.0-1ubuntu0.1

Top Authors In Last 30 Days

Red Hat 294 files
Ubuntu 64 files
Debian 24 files
Apple 14 files
LiquidWorm 12 files
Gentoo 8 files
Google Security Research 4 files
Andrey Stoykov 3 files
Jann Horn 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,171)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,070)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,426)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,010)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

Ubuntu Security Notice USN-6754-2

Ubuntu Security Notice USN-6754-2

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Ubuntu Security Notice USN-6754-2

Share This

Ubuntu Security Notice USN-6754-2

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems