Описание
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| golang-1.13 | fixed | 1.13~beta1-3 | package | |
| golang-1.12 | fixed | 1.12.8-1 | package | |
| golang-1.11 | fixed | 1.11.13-1 | package | |
| golang-1.8 | removed | package | ||
| golang-1.8 | ignored | stretch | package | |
| golang-1.7 | removed | package | ||
| golang-1.7 | ignored | stretch | package | |
| golang | removed | package | ||
| golang | not-affected | jessie | package | |
| golang-golang-x-net-dev | fixed | 1:0.0+git20190811.74dc4d7+dfsg-1 | package | |
| golang-golang-x-net-dev | no-dsa | buster | package | |
| nodejs | fixed | 10.16.3~dfsg-1 | package | |
| nodejs | not-affected | stretch | package | |
| nodejs | not-affected | jessie | package | |
| trafficserver | fixed | 8.0.5+ds-1 | package | |
| h2o | fixed | 2.2.5+dfsg2-3 | package | |
| rust-h2 | fixed | 0.3.24-1 | package | |
| rust-h2 | no-dsa | bookworm | package | |
| rust-h2 | no-dsa | buster | package |
Примечания
Issue: https://github.com/golang/go/issues/33606
https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11)
https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4
https://github.com/h2o/h2o/issues/2090
https://github.com/h2o/h2o/commit/743d6b6118c29b75d0b84ef7950a2721c32dfe3f
https://rustsec.org/advisories/RUSTSEC-2024-0003.html
https://github.com/hyperium/h2/pull/737
EPSS
Связанные уязвимости
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
golang.org/x/net/http vulnerable to a reset flood
EPSS