Bug 10191

Summary: [Package Request] nghttp2 security vulnerabilities (CVE-2019-9513)
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Contributed PackagesAssignee: ROSA Linux Bugs <bugs>
Status: RESOLVED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: enhancement    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, mc2374
Version: All   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://advisories.mageia.org/MGASA-2019-0291.html
Whiteboard:
Platform: --- ROSA Vulnerability identifier: CVE-2019-9513
RPM Package: nghttp2 ISO-related:
Bad POT generating: Upstream:

Description Zombie Ryushu 2019-10-01 10:18:20 MSK 
Some HTTP/2 implementations are vulnerable to window size manipulation
and stream prioritization manipulation, potentially leading to a denial
of service. The attacker requests a large amount of data from a specified
resource over multiple streams. They manipulate window size and stream
priority to force the server to queue the data in 1-byte chunks. Depending
on how efficiently this data is queued, this can consume excess CPU,
memory, or both. (CVE-2019-9511)

Some HTTP/2 implementations are vulnerable to resource loops, potentially
leading to a denial of service. The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way that
causes substantial churn to the priority tree. This can consume excess CPU.
(CVE-2019-9513)
Comment 1 Giovanni Mariani 2019-10-14 20:53:43 MSK 
Rosa does not seem to have this package... closing.

If wanted so, change the bug to a package request and reopen.
Comment 2 Zombie Ryushu 2019-10-18 23:12:34 MSK 
Re-opened as a package request.
Comment 3 Giovanni Mariani 2019-10-25 21:30:32 MSK 
Packaged and published in Rosa 2016.1 / Contrib.
Prepared a 2019.1 branch.
Closing request.