USN-6754-1: nghttp2 vulnerabilities

Releases

• Ubuntu 23.10
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM

Packages

• nghttp2 - HTTP/2 C Library and tools

Details

It was discovered that nghttp2 incorrectly handled the HTTP/2
implementation. A remote attacker could possibly use this issue to cause
nghttp2 to consume resources, leading to a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511,
CVE-2019-9513)

It was discovered that nghttp2 incorrectly handled request cancellation. A
remote attacker could possibly use this issue to cause nghttp2 to consume
resources, leading to a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)

It was discovered that nghttp2 could be made to process an unlimited number
of HTTP/2 CONTINUATION frames. A remote attacker could possibly use this
issue to cause nghttp2 to consume resources, leading to a denial of
service. (CVE-2024-28182)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 23.10

• libnghttp2-14 - 1.55.1-1ubuntu0.2
• nghttp2 - 1.55.1-1ubuntu0.2
• nghttp2-client - 1.55.1-1ubuntu0.2
• nghttp2-proxy - 1.55.1-1ubuntu0.2
• nghttp2-server - 1.55.1-1ubuntu0.2

Ubuntu 22.04

• libnghttp2-14 - 1.43.0-1ubuntu0.2
• nghttp2 - 1.43.0-1ubuntu0.2
• nghttp2-client - 1.43.0-1ubuntu0.2
• nghttp2-proxy - 1.43.0-1ubuntu0.2
• nghttp2-server - 1.43.0-1ubuntu0.2

Ubuntu 20.04

• libnghttp2-14 - 1.40.0-1ubuntu0.3
• nghttp2 - 1.40.0-1ubuntu0.3
• nghttp2-client - 1.40.0-1ubuntu0.3
• nghttp2-proxy - 1.40.0-1ubuntu0.3
• nghttp2-server - 1.40.0-1ubuntu0.3

Ubuntu 18.04

• libnghttp2-14 - 1.30.0-1ubuntu1+esm2
  Available with Ubuntu Pro
• nghttp2 - 1.30.0-1ubuntu1+esm2
  Available with Ubuntu Pro
• nghttp2-client - 1.30.0-1ubuntu1+esm2
  Available with Ubuntu Pro
• nghttp2-proxy - 1.30.0-1ubuntu1+esm2
  Available with Ubuntu Pro
• nghttp2-server - 1.30.0-1ubuntu1+esm2
  Available with Ubuntu Pro

Ubuntu 16.04

• libnghttp2-14 - 1.7.1-1ubuntu0.1~esm2
  Available with Ubuntu Pro
• nghttp2 - 1.7.1-1ubuntu0.1~esm2
  Available with Ubuntu Pro
• nghttp2-client - 1.7.1-1ubuntu0.1~esm2
  Available with Ubuntu Pro
• nghttp2-proxy - 1.7.1-1ubuntu0.1~esm2
  Available with Ubuntu Pro
• nghttp2-server - 1.7.1-1ubuntu0.1~esm2
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2024-28182
• CVE-2019-9511
• CVE-2019-9513
• CVE-2023-44487

Related notices

• USN-6754-2: libnghttp2-dev, nghttp2-client, nghttp2, nghttp2-server, libnghttp2-14, nghttp2-proxy, libnghttp2-doc
• USN-4099-1: nginx-light, libnginx-mod-http-dav-ext, nginx-common, libnginx-mod-http-uploadprogress, libnginx-mod-http-image-filter, libnginx-mod-nchan, libnginx-mod-http-xslt-filter, nginx-extras, libnginx-mod-http-headers-more-filter, libnginx-mod-mail, libnginx-mod-http-geoip, libnginx-mod-http-ndk, libnginx-mod-http-echo, libnginx-mod-http-subs-filter, libnginx-mod-http-upstream-fair, libnginx-mod-http-perl, nginx-full, libnginx-mod-http-lua, libnginx-mod-http-cache-purge, libnginx-mod-http-auth-pam, libnginx-mod-http-fancyindex, nginx-doc, libnginx-mod-rtmp, libnginx-mod-stream, nginx-core, nginx
• USN-6427-1: aspnetcore-runtime-7.0, dotnet6, dotnet-targeting-pack-7.0, dotnet-sdk-7.0, dotnet-apphost-pack-6.0, aspnetcore-runtime-6.0, dotnet-runtime-7.0, dotnet-hostfxr-6.0, dotnet7, dotnet-host-7.0, dotnet-sdk-6.0, dotnet-apphost-pack-7.0, dotnet-host, aspnetcore-targeting-pack-7.0, netstandard-targeting-pack-2.1-7.0, dotnet-targeting-pack-6.0, dotnet-templates-7.0, dotnet-templates-6.0, dotnet-sdk-7.0-source-built-artifacts, dotnet-runtime-6.0, dotnet-hostfxr-7.0, aspnetcore-targeting-pack-6.0, netstandard-targeting-pack-2.1, dotnet-sdk-6.0-source-built-artifacts
• USN-6427-2: dotnet-runtime-8.0, dotnet-templates-8.0, netstandard-targeting-pack-2.1-8.0, dotnet-sdk-8.0, dotnet-targeting-pack-8.0, dotnet-sdk-8.0-source-built-artifacts, dotnet8, dotnet-hostfxr-8.0, aspnetcore-targeting-pack-8.0, dotnet-apphost-pack-8.0, aspnetcore-runtime-8.0, dotnet-host-8.0
• USN-6438-1: aspnetcore-runtime-7.0, dotnet6, dotnet-targeting-pack-7.0, dotnet-sdk-7.0, dotnet-apphost-pack-6.0, aspnetcore-runtime-6.0, dotnet-runtime-7.0, dotnet-hostfxr-6.0, dotnet7, dotnet-host-7.0, dotnet-sdk-6.0, dotnet-apphost-pack-7.0, dotnet-host, aspnetcore-targeting-pack-7.0, netstandard-targeting-pack-2.1-7.0, dotnet-targeting-pack-6.0, dotnet-templates-7.0, dotnet-templates-6.0, dotnet-sdk-7.0-source-built-artifacts, dotnet-runtime-6.0, dotnet-hostfxr-7.0, aspnetcore-targeting-pack-6.0, netstandard-targeting-pack-2.1, dotnet-sdk-6.0-source-built-artifacts
• USN-6505-1: libnghttp2-dev, nghttp2-client, nghttp2, nghttp2-server, libnghttp2-14, nghttp2-proxy, libnghttp2-doc
• USN-6574-1: golang-1.20, golang-1.21-src, golang-1.21-go, golang-1.20-src, golang-1.20-doc, golang-1.21-doc, golang-1.21, golang-1.20-go
• USN-6994-1: libnetty-java, netty
• USN-7067-1: haproxy, vim-haproxy, haproxy-doc