Описание
golang.org/x/net/http vulnerable to ping floods
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Specific Go Packages Affected
golang.org/x/net/http2
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-9512
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
- https://go.dev/cl/190137
- https://go.dev/issue/33606
- https://go.googlesource.com/go/+/145e193131eb486077b66009beb051aba07c52a5
- https://groups.google.com/g/golang-announce/c/65QixT3tcmg/m/DrFiG6vvCwAJ
- https://kb.cert.org/vuls/id/605641
- https://kc.mcafee.com/corporate/index?page=content&id=SB10296
- https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E
- https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E
- https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ
- https://pkg.go.dev/vuln/GO-2022-0536
- https://seclists.org/bugtraq/2019/Aug/24
- https://seclists.org/bugtraq/2019/Aug/31
- https://seclists.org/bugtraq/2019/Aug/43
- https://seclists.org/bugtraq/2019/Sep/18
- https://security.netapp.com/advisory/ntap-20190823-0001
- https://security.netapp.com/advisory/ntap-20190823-0004
- https://security.netapp.com/advisory/ntap-20190823-0005
- https://support.f5.com/csp/article/K98053339
- https://support.f5.com/csp/article/K98053339?utm_source=f5support&utm_medium=RSS
- https://usn.ubuntu.com/4308-1
- https://www.debian.org/security/2019/dsa-4503
- https://www.debian.org/security/2019/dsa-4508
- https://www.debian.org/security/2019/dsa-4520
- https://www.synology.com/security/advisory/Synology_SA_19_33
- https://access.redhat.com/errata/RHSA-2019:2594
- https://access.redhat.com/errata/RHSA-2019:2661
- https://access.redhat.com/errata/RHSA-2019:2682
- https://access.redhat.com/errata/RHSA-2019:2690
- https://access.redhat.com/errata/RHSA-2019:2726
- https://access.redhat.com/errata/RHSA-2019:2766
- https://access.redhat.com/errata/RHSA-2019:2769
- https://access.redhat.com/errata/RHSA-2019:2796
- https://access.redhat.com/errata/RHSA-2019:2861
- https://access.redhat.com/errata/RHSA-2019:2925
- https://access.redhat.com/errata/RHSA-2019:2939
- https://access.redhat.com/errata/RHSA-2019:2955
- https://access.redhat.com/errata/RHSA-2019:2966
- https://access.redhat.com/errata/RHSA-2019:3131
- https://access.redhat.com/errata/RHSA-2019:3245
- https://access.redhat.com/errata/RHSA-2019:3265
- https://access.redhat.com/errata/RHSA-2019:3892
- https://access.redhat.com/errata/RHSA-2019:3906
- https://access.redhat.com/errata/RHSA-2019:4018
- https://access.redhat.com/errata/RHSA-2019:4019
- https://access.redhat.com/errata/RHSA-2019:4020
- https://access.redhat.com/errata/RHSA-2019:4021
- https://access.redhat.com/errata/RHSA-2019:4040
- https://access.redhat.com/errata/RHSA-2019:4041
- https://access.redhat.com/errata/RHSA-2019:4042
- https://access.redhat.com/errata/RHSA-2019:4045
- https://access.redhat.com/errata/RHSA-2019:4269
- https://access.redhat.com/errata/RHSA-2019:4273
- https://access.redhat.com/errata/RHSA-2019:4352
- https://access.redhat.com/errata/RHSA-2020:0406
- https://access.redhat.com/errata/RHSA-2020:0727
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html
- http://seclists.org/fulldisclosure/2019/Aug/16
- http://www.openwall.com/lists/oss-security/2019/08/20/1
Пакеты
golang.org/x/net
< 0.0.0-20190813141303-74dc4d7220e7
0.0.0-20190813141303-74dc4d7220e7
Связанные уязвимости
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Some HTTP/2 implementations are vulnerable to ping floods, potentially ...