Описание
Security update for nghttp2
This update for nghttp2 fixes the following issues:
nghttp2 was update to version 1.40.0 (bsc#1166481)
- lib: Add nghttp2_check_authority as public API
- lib: Fix the bug that stream is closed with wrong error code
- lib: Faster huffman encoding and decoding
- build: Avoid filename collision of static and dynamic lib
- build: Add new flag ENABLE_STATIC_CRT for Windows
- build: cmake: Support building nghttpx with systemd
- third-party: Update neverbleed to fix memory leak
- nghttpx: Fix bug that mruby is incorrectly shared between backends
- nghttpx: Reconnect h1 backend if it lost connection before sending headers
- nghttpx: Returns 408 if backend timed out before sending headers
- nghttpx: Fix request stal
This update was imported from the SUSE:SLE-15:Update update project.
Список пакетов
openSUSE Leap 15.1
libnghttp2-14-1.40.0-lp151.3.6.1
libnghttp2-14-32bit-1.40.0-lp151.3.6.1
libnghttp2-devel-1.40.0-lp151.3.6.1
libnghttp2_asio-devel-1.40.0-lp151.3.6.1
libnghttp2_asio1-1.40.0-lp151.3.6.1
libnghttp2_asio1-32bit-1.40.0-lp151.3.6.1
nghttp2-1.40.0-lp151.3.6.1
python3-nghttp2-1.40.0-lp151.3.6.1
Ссылки
- E-Mail link for openSUSE-SU-2020:0379-1
- SUSE Security Ratings
- SUSE Bug 1159003
- SUSE Bug 1166481
- SUSE CVE CVE-2019-18802 page
Описание
An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass "example.com" matchers.
Затронутые продукты
openSUSE Leap 15.1:libnghttp2-14-1.40.0-lp151.3.6.1
openSUSE Leap 15.1:libnghttp2-14-32bit-1.40.0-lp151.3.6.1
openSUSE Leap 15.1:libnghttp2-devel-1.40.0-lp151.3.6.1
openSUSE Leap 15.1:libnghttp2_asio-devel-1.40.0-lp151.3.6.1
Ссылки
- CVE-2019-18802
- SUSE Bug 1159003