Описание
Security update for nghttp2
This update for nghttp2 fixes the following issues:
nghttp2 was update to version 1.40.0 (bsc#1166481)
- lib: Add nghttp2_check_authority as public API
- lib: Fix the bug that stream is closed with wrong error code
- lib: Faster huffman encoding and decoding
- build: Avoid filename collision of static and dynamic lib
- build: Add new flag ENABLE_STATIC_CRT for Windows
- build: cmake: Support building nghttpx with systemd
- third-party: Update neverbleed to fix memory leak
- nghttpx: Fix bug that mruby is incorrectly shared between backends
- nghttpx: Reconnect h1 backend if it lost connection before sending headers
- nghttpx: Returns 408 if backend timed out before sending headers
- nghttpx: Fix request stal
Список пакетов
Container ses/6/cephcsi/cephcsi:latest
libnghttp2-14-1.40.0-3.6.3
Container ses/6/rook/ceph:latest
libnghttp2-14-1.40.0-3.6.3
Container suse/sle15:15.0
libnghttp2-14-1.40.0-3.6.3
Container suse/sle15:15.1
libnghttp2-14-1.40.0-3.6.3
SUSE Linux Enterprise Module for Basesystem 15 SP1
libnghttp2-14-1.40.0-3.6.3
libnghttp2-14-32bit-1.40.0-3.6.3
libnghttp2-devel-1.40.0-3.6.3
libnghttp2_asio-devel-1.40.0-3.6.3
libnghttp2_asio1-1.40.0-3.6.3
Ссылки
- Link for SUSE-SU-2020:0722-1
- E-Mail link for SUSE-SU-2020:0722-1
- SUSE Security Ratings
- SUSE Bug 1159003
- SUSE Bug 1166481
- SUSE CVE CVE-2019-18802 page
Описание
An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass "example.com" matchers.
Затронутые продукты
Container ses/6/cephcsi/cephcsi:latest:libnghttp2-14-1.40.0-3.6.3
Container ses/6/rook/ceph:latest:libnghttp2-14-1.40.0-3.6.3
Container suse/sle15:15.0:libnghttp2-14-1.40.0-3.6.3
Container suse/sle15:15.1:libnghttp2-14-1.40.0-3.6.3
Ссылки
- CVE-2019-18802
- SUSE Bug 1159003