Date: Fri, 16 Aug 2019 18:11:39 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r509113 - head/security/vuxml Message-ID: <201908161811.x7GIBdNk029457@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Fri Aug 16 18:11:39 2019 New Revision: 509113 URL: https://svnweb.freebsd.org/changeset/ports/509113 Log: Document nghttp2 vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Aug 16 18:11:33 2019 (r509112) +++ head/security/vuxml/vuln.xml Fri Aug 16 18:11:39 2019 (r509113) @@ -58,6 +58,51 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="121fec01-c042-11e9-a73f-b36f5969f162"> + <topic>nghttp2 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>libnghttp2</name> + <name>nghttp2</name> + <range><lt>1.39.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>nghttp2 GitHub releases:</p> + <blockquote cite="https://github.com/nghttp2/nghttp2/releases">; + <p>This release fixes CVE-2019-9511 "Data Dribble" and CVE-2019-9513 + "Resource Loop" vulnerability in nghttpx and nghttpd. Specially crafted + HTTP/2 frames cause Denial of Service by consuming CPU time. Check out + https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md + for details. For nghttpx, additionally limiting inbound traffic by + --read-rate and --read-burst options is quite effective against this + kind of attack.</p> + <p>CVE-2019-9511 "Data Dribble": The attacker requests a large amount of + data from a specified resource over multiple streams. They manipulate + window size and stream priority to force the server to queue the data in + 1-byte chunks. Depending on how efficiently this data is queued, this + can consume excess CPU, memory, or both, potentially leading to a + denial of service.</p> + <p>CVE-2019-9513 "Ping Flood": The attacker sends continual pings to an + HTTP/2 peer, causing the peer to build an internal queue of responses. + Depending on how efficiently this data is queued, this can consume + excess CPU, memory, or both, potentially leading to a denial of service.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/nghttp2/nghttp2/releases</url>; + <url>https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md</url>; + <cvename>CVE-2019-9511</cvename> + <cvename>CVE-2019-9513</cvename> + </references> + <dates> + <discovery>2019-08-13</discovery> + <entry>2019-08-16</entry> + </dates> + </vuln> + <vuln vid="60e991ac-c013-11e9-b662-001cc0382b2f"> <topic>CUPS -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908161811.x7GIBdNk029457>