Date: Sun, 05 Apr 2026 11:56:07 +0000
From: Fernando Apeste=?utf-8?Q?gu=C3=ADa?= <fernape@FreeBSD.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject: git: f2b8dcc5bc95 - main - security/vuxml: Add {lib}nghttp2 vulneability
Message-ID: <69d24dd7.22da5.69f9442c@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=f2b8dcc5bc953e4ae50853ea2eab0d812d7f8fb7 commit f2b8dcc5bc953e4ae50853ea2eab0d812d7f8fb7 Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2026-04-05 11:54:26 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2026-04-05 11:54:26 +0000 security/vuxml: Add {lib}nghttp2 vulneability CVE-2026-27135 Base Score: 7.5 HIGH Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H --- security/vuxml/vuln/2026.xml | 45 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 3fd0c9e165e1..a538ae1d46ed 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,48 @@ + <vuln vid="c08273b5-30e5-11f1-b9f2-b42e991fc52e"> + <topic>nghttp2 -- CWE-617: Reachable Assertion</topic> + <affects> + <package> + <name>libnghttp2</name> + <range><lt>1.68.1</lt></range> + </package> + <package> + <name>nghttp2</name> + <range><lt>1.68.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6 reports:</p> + <blockquote cite="https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6">; + <p> + nghttp2 is an implementation of the Hypertext Transfer + Protocol version 2 in C. Prior to version 1.68.1, the + nghttp2 library stops reading the incoming data when user + facing public API `nghttp2_session_terminate_session` or + `nghttp2_session_terminate_session2` is called by the + application. They might be called internally by the + library when it detects the situation that is subject to + connection error. Due to the missing internal state + validation, the library keeps reading the rest of the data + after one of those APIs is called. Then receiving a + malformed frame that causes FRAME_SIZE_ERROR causes + assertion failure. nghttp2 v1.68.1 adds missing state + validation to avoid assertion failure. No known + workarounds are available. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2026-27135</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2026-27135</url>; + </references> + <dates> + <discovery>2026-03-18</discovery> + <entry>2026-04-05</entry> + </dates> + </vuln> + <vuln vid="a117f43b-2f7b-11f1-89f4-b42e991fc52e"> <topic>MongoDB Server -- CWE-617: Reachable Assertion</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69d24dd7.22da5.69f9442c>