An update for nghttp2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1389 Final 1.0 1.0 2024-04-12 Initial 2024-04-12 2024-04-12 openEuler SA Tool V1.0 2024-04-12 nghttp2 security update An update for nghttp2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. The framing layer of HTTP/2 is implemented as a form of reusable C library. On top of that, we have implemented HTTP/2 client, server and proxy. We have also developed load test and benchmarking tool for HTTP/2. Security Fix(es): nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.(CVE-2024-28182) An update for nghttp2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium nghttp2 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1389 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-28182 https://nvd.nist.gov/vuln/detail/CVE-2024-28182 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 libnghttp2-1.41.0-5.oe1.aarch64.rpm libnghttp2-devel-1.41.0-5.oe1.aarch64.rpm nghttp2-debugsource-1.41.0-5.oe1.aarch64.rpm nghttp2-debuginfo-1.41.0-5.oe1.aarch64.rpm nghttp2-1.41.0-5.oe1.aarch64.rpm libnghttp2-devel-1.41.0-6.oe2003sp4.aarch64.rpm libnghttp2-1.41.0-6.oe2003sp4.aarch64.rpm nghttp2-debuginfo-1.41.0-6.oe2003sp4.aarch64.rpm nghttp2-1.41.0-6.oe2003sp4.aarch64.rpm nghttp2-debugsource-1.41.0-6.oe2003sp4.aarch64.rpm libnghttp2-1.46.0-5.oe2203.aarch64.rpm libnghttp2-devel-1.46.0-5.oe2203.aarch64.rpm nghttp2-debugsource-1.46.0-5.oe2203.aarch64.rpm nghttp2-debuginfo-1.46.0-5.oe2203.aarch64.rpm nghttp2-1.46.0-5.oe2203.aarch64.rpm nghttp2-debuginfo-1.46.0-6.oe2203sp1.aarch64.rpm libnghttp2-devel-1.46.0-6.oe2203sp1.aarch64.rpm libnghttp2-1.46.0-6.oe2203sp1.aarch64.rpm nghttp2-debugsource-1.46.0-6.oe2203sp1.aarch64.rpm nghttp2-1.46.0-6.oe2203sp1.aarch64.rpm libnghttp2-1.46.0-6.oe2203sp2.aarch64.rpm nghttp2-debuginfo-1.46.0-6.oe2203sp2.aarch64.rpm libnghttp2-devel-1.46.0-6.oe2203sp2.aarch64.rpm nghttp2-debugsource-1.46.0-6.oe2203sp2.aarch64.rpm nghttp2-1.46.0-6.oe2203sp2.aarch64.rpm nghttp2-debuginfo-1.46.0-6.oe2203sp3.aarch64.rpm libnghttp2-devel-1.46.0-6.oe2203sp3.aarch64.rpm nghttp2-1.46.0-6.oe2203sp3.aarch64.rpm nghttp2-debugsource-1.46.0-6.oe2203sp3.aarch64.rpm libnghttp2-1.46.0-6.oe2203sp3.aarch64.rpm nghttp2-help-1.41.0-5.oe1.noarch.rpm nghttp2-help-1.41.0-6.oe2003sp4.noarch.rpm nghttp2-help-1.46.0-5.oe2203.noarch.rpm nghttp2-help-1.46.0-6.oe2203sp1.noarch.rpm nghttp2-help-1.46.0-6.oe2203sp2.noarch.rpm nghttp2-help-1.46.0-6.oe2203sp3.noarch.rpm nghttp2-1.41.0-5.oe1.src.rpm nghttp2-1.41.0-6.oe2003sp4.src.rpm nghttp2-1.46.0-5.oe2203.src.rpm nghttp2-1.46.0-6.oe2203sp1.src.rpm nghttp2-1.46.0-6.oe2203sp2.src.rpm nghttp2-1.46.0-6.oe2203sp3.src.rpm nghttp2-debuginfo-1.41.0-5.oe1.x86_64.rpm libnghttp2-1.41.0-5.oe1.x86_64.rpm nghttp2-1.41.0-5.oe1.x86_64.rpm nghttp2-debugsource-1.41.0-5.oe1.x86_64.rpm libnghttp2-devel-1.41.0-5.oe1.x86_64.rpm nghttp2-debuginfo-1.41.0-6.oe2003sp4.x86_64.rpm nghttp2-debugsource-1.41.0-6.oe2003sp4.x86_64.rpm libnghttp2-devel-1.41.0-6.oe2003sp4.x86_64.rpm nghttp2-1.41.0-6.oe2003sp4.x86_64.rpm libnghttp2-1.41.0-6.oe2003sp4.x86_64.rpm nghttp2-debuginfo-1.46.0-5.oe2203.x86_64.rpm libnghttp2-1.46.0-5.oe2203.x86_64.rpm nghttp2-debugsource-1.46.0-5.oe2203.x86_64.rpm libnghttp2-devel-1.46.0-5.oe2203.x86_64.rpm nghttp2-1.46.0-5.oe2203.x86_64.rpm nghttp2-debuginfo-1.46.0-6.oe2203sp1.x86_64.rpm nghttp2-1.46.0-6.oe2203sp1.x86_64.rpm libnghttp2-1.46.0-6.oe2203sp1.x86_64.rpm nghttp2-debugsource-1.46.0-6.oe2203sp1.x86_64.rpm libnghttp2-devel-1.46.0-6.oe2203sp1.x86_64.rpm libnghttp2-1.46.0-6.oe2203sp2.x86_64.rpm nghttp2-debugsource-1.46.0-6.oe2203sp2.x86_64.rpm nghttp2-1.46.0-6.oe2203sp2.x86_64.rpm nghttp2-debuginfo-1.46.0-6.oe2203sp2.x86_64.rpm libnghttp2-devel-1.46.0-6.oe2203sp2.x86_64.rpm nghttp2-1.46.0-6.oe2203sp3.x86_64.rpm libnghttp2-1.46.0-6.oe2203sp3.x86_64.rpm libnghttp2-devel-1.46.0-6.oe2203sp3.x86_64.rpm nghttp2-debuginfo-1.46.0-6.oe2203sp3.x86_64.rpm nghttp2-debugsource-1.46.0-6.oe2203sp3.x86_64.rpm nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability. 2024-04-12 CVE-2024-28182 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L nghttp2 security update 2024-04-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1389