A nghttp2 security update has been released for Debian GNU/Linux 9 Extended LTS to address a flaw in the HTTP2 protocol that allows an attacker to rapidly create and cancel streams.
ELA-984-1 nghttp2 security update
Package : nghttp2
Version : 1.18.1-1+deb9u3 (stretch)
Related CVEs :
CVE-2023-44487
CVE-2023-44487 describes a flaw in the HTTP2 protocol that allows an attacker to rapidly create and cancel streams by sending a HEADERS frame
immediately followed by a RST_STREAM. This can cause a denial of service due to resource exhaustion.
The applied patches mitigate this flaw by rate limiting the cancellation of streams and disconnecting the client when this limit is exceeded.
