Описание
Security update for nghttp2
This update for nghttp2 fixes the following issues:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)
Список пакетов
Container ses/6/cephcsi/cephcsi:latest
libnghttp2-14-1.40.0-3.11.1
Container ses/6/rook/ceph:latest
libnghttp2-14-1.40.0-3.11.1
Container suse/sle15:15.0
libnghttp2-14-1.40.0-3.11.1
Container suse/sle15:15.1
libnghttp2-14-1.40.0-3.11.1
Image SLES15-Azure-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-EC2-CHOST-HVM-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-EC2-HVM-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-GCE-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SAP-Azure
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SAP-Azure-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SAP-Azure-LI-BYOS-Production
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SAP-Azure-VLI-BYOS-Production
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SAP-EC2-HVM
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SAP-EC2-HVM-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SAP-GCE
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SAP-GCE-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-Azure-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-Azure-HPC-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-CHOST-BYOS-Azure
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-CHOST-BYOS-EC2
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-CHOST-BYOS-GCE
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-EC2-HPC-HVM-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-EC2-HVM-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-GCE-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAP-Azure
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAP-Azure-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAP-Azure-LI-BYOS-Production
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAP-EC2-HVM
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAP-EC2-HVM-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAP-GCE
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAP-GCE-BYOS
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAPCAL-Azure
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAPCAL-EC2-HVM
libnghttp2-14-1.40.0-3.11.1
Image SLES15-SP1-SAPCAL-GCE
libnghttp2-14-1.40.0-3.11.1
SUSE Enterprise Storage 6
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Linux Enterprise High Performance Computing 15-LTSS
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Linux Enterprise Server 15 SP1-BCL
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Linux Enterprise Server 15 SP1-LTSS
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Linux Enterprise Server 15-LTSS
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Linux Enterprise Server for SAP Applications 15
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Manager Proxy 4.0
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Manager Retail Branch Server 4.0
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
SUSE Manager Server 4.0
libnghttp2-14-1.40.0-3.11.1
libnghttp2-14-32bit-1.40.0-3.11.1
libnghttp2-devel-1.40.0-3.11.1
libnghttp2_asio-devel-1.40.0-3.11.1
libnghttp2_asio1-1.40.0-3.11.1
Ссылки
- Link for SUSE-SU-2021:0931-1
- E-Mail link for SUSE-SU-2021:0931-1
- SUSE Security Ratings
- SUSE Bug 1172442
- SUSE Bug 1181358
- SUSE CVE CVE-2020-11080 page
Описание
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
Затронутые продукты
Container ses/6/cephcsi/cephcsi:latest:libnghttp2-14-1.40.0-3.11.1
Container ses/6/rook/ceph:latest:libnghttp2-14-1.40.0-3.11.1
Container suse/sle15:15.0:libnghttp2-14-1.40.0-3.11.1
Container suse/sle15:15.1:libnghttp2-14-1.40.0-3.11.1
Ссылки
- CVE-2020-11080
- SUSE Bug 1172441
- SUSE Bug 1172442
- SUSE Bug 1181358