svn commit: r509113 - head/security/vuxml

Sunpoet Po-Chuan Hsieh sunpoet at FreeBSD.org
Fri Aug 16 18:11:46 UTC 2019 

Author: sunpoet
Date: Fri Aug 16 18:11:39 2019
New Revision: 509113
URL: https://svnweb.freebsd.org/changeset/ports/509113

Log:
  Document nghttp2 vulnerability

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri Aug 16 18:11:33 2019	(r509112)
+++ head/security/vuxml/vuln.xml	Fri Aug 16 18:11:39 2019	(r509113)
@@ -58,6 +58,51 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="121fec01-c042-11e9-a73f-b36f5969f162">
+    <topic>nghttp2 -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>libnghttp2</name>
+	<name>nghttp2</name>
+	<range><lt>1.39.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>nghttp2 GitHub releases:</p>
+	<blockquote cite="https://github.com/nghttp2/nghttp2/releases">
+	  <p>This release fixes CVE-2019-9511 "Data Dribble" and CVE-2019-9513
+	    "Resource Loop" vulnerability in nghttpx and nghttpd. Specially crafted
+	    HTTP/2 frames cause Denial of Service by consuming CPU time. Check out
+	    https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
+	    for details. For nghttpx, additionally limiting inbound traffic by
+	    --read-rate and --read-burst options is quite effective against this
+	    kind of attack.</p>
+	  <p>CVE-2019-9511 "Data Dribble": The attacker requests a large amount of
+	    data from a specified resource over multiple streams. They manipulate
+	    window size and stream priority to force the server to queue the data in
+	    1-byte chunks. Depending on how efficiently this data is queued, this
+	    can consume excess CPU, memory, or both, potentially leading to a
+	    denial of service.</p>
+	  <p>CVE-2019-9513 "Ping Flood": The attacker sends continual pings to an
+	    HTTP/2 peer, causing the peer to build an internal queue of responses.
+	    Depending on how efficiently this data is queued, this can consume
+	    excess CPU, memory, or both, potentially leading to a denial of service.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/nghttp2/nghttp2/releases</url>
+      <url>https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md</url>
+      <cvename>CVE-2019-9511</cvename>
+      <cvename>CVE-2019-9513</cvename>
+    </references>
+    <dates>
+      <discovery>2019-08-13</discovery>
+      <entry>2019-08-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="60e991ac-c013-11e9-b662-001cc0382b2f">
     <topic>CUPS -- multiple vulnerabilities</topic>
     <affects>

More information about the svn-ports-all mailing list