Описание
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| golang-1.13 | fixed | 1.13~beta1-3 | package | |
| golang-1.12 | fixed | 1.12.8-1 | package | |
| golang-1.11 | fixed | 1.11.13-1 | package | |
| golang-1.8 | removed | package | ||
| golang-1.8 | ignored | stretch | package | |
| golang-1.7 | removed | package | ||
| golang-1.7 | ignored | stretch | package | |
| golang | removed | package | ||
| golang | not-affected | jessie | package | |
| golang-golang-x-net-dev | fixed | 1:0.0+git20190811.74dc4d7+dfsg-1 | package | |
| golang-golang-x-net-dev | postponed | buster | package | |
| trafficserver | fixed | 8.0.5+ds-1 | package | |
| h2o | fixed | 2.2.5+dfsg2-3 | package |
Примечания
Issue: https://github.com/golang/go/issues/33606
https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11)
https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4
https://github.com/h2o/h2o/issues/2090
https://github.com/h2o/h2o/commit/743d6b6118c29b75d0b84ef7950a2721c32dfe3f
Связанные уязвимости
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
