Bugzilla – Bug 1216174
VUL-0: nghttp2: Rapid reset attack impact (CVE-2023-44487)
Last modified: 2024-12-13 10:20:42 UTC
The nghttp2 team reworked on their session management to mitigate the impact of the "HTTP/2 Rapid Reset Attack" vulnerability. https://github.com/nghttp2/nghttp2/pull/1961 Upstream commit: https://github.com/nghttp2/nghttp2/pull/1961/commits/72b4af6143681f528f1d237b21a9a7aee1738832 We are tracking all "HTTP/2 Rapid Reset Attack" related bugs within bsc#1216123.
1.57.0 is on the way to Factory: https://build.opensuse.org/request/show/1118015
Submitted for: 15sp2,15,12sp2/nghttp2. I believe all fixed.
SUSE-SU-2023:4200-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1216123, 1216174 CVE References: CVE-2023-44487 Sources used: openSUSE Leap Micro 5.3 (src): nghttp2-1.40.0-150200.12.1 openSUSE Leap Micro 5.4 (src): nghttp2-1.40.0-150200.12.1 openSUSE Leap 15.4 (src): nghttp2-1.40.0-150200.12.1, nghttp2-python-1.40.0-150200.12.1 openSUSE Leap 15.5 (src): nghttp2-1.40.0-150200.12.1, nghttp2-python-1.40.0-150200.12.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Micro 5.3 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Micro 5.4 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Micro 5.5 (src): nghttp2-1.40.0-150200.12.1 Basesystem Module 15-SP4 (src): nghttp2-1.40.0-150200.12.1 Basesystem Module 15-SP5 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nghttp2-1.40.0-150200.12.1 SUSE Manager Proxy 4.2 (src): nghttp2-1.40.0-150200.12.1 SUSE Manager Retail Branch Server 4.2 (src): nghttp2-1.40.0-150200.12.1 SUSE Manager Server 4.2 (src): nghttp2-1.40.0-150200.12.1 SUSE Enterprise Storage 7.1 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Micro 5.1 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Micro 5.2 (src): nghttp2-1.40.0-150200.12.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): nghttp2-1.40.0-150200.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4199-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1216123, 1216174 CVE References: CVE-2023-44487 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): nghttp2-1.39.2-3.13.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): nghttp2-1.39.2-3.13.1 SUSE Linux Enterprise Server 12 SP5 (src): nghttp2-1.39.2-3.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): nghttp2-1.39.2-3.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4492-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1216123, 1216174 CVE References: CVE-2023-44487 Sources used: SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): nghttp2-1.40.0-150000.3.17.1 SUSE CaaS Platform 4.0 (src): nghttp2-1.40.0-150000.3.17.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): nghttp2-1.40.0-150000.3.17.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): nghttp2-1.40.0-150000.3.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4613-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1215713, 1216174 CVE References: CVE-2023-35945, CVE-2023-44487 Sources used: SUSE CaaS Platform 4.0 (src): release-notes-caasp-4.2.20231122-150100.4.85.1, caasp-release-4.2.10-150100.24.55.2, skuba-1.4.17-150100.3.70.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.