1.95.0
Notably, this release addresses:
USN-6754-1 nghttp2 vulnerabilities:
- CVE-2024-28182:
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2
in C. The nghttp2 library prior to version 1.61.0 keeps reading the
unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset
to keep HPACK context in sync. This causes excessive CPU usage to decode
HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the
number of CONTINUATION frames it accepts per stream. There is no workaround
for this vulnerability. - CVE-2019-9511:
Some HTTP/2 implementations are vulnerable to window size manipulation and
stream prioritization manipulation, potentially leading to a denial of
service. The attacker requests a large amount of data from a specified
resource over multiple streams. They manipulate window size and stream
priority to force the server to queue the data in 1-byte chunks. Depending
on how efficiently this data is queued, this can consume excess CPU,
memory, or both. - CVE-2019-9513:
Some HTTP/2 implementations are vulnerable to resource loops, potentially
leading to a denial of service. The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way that
causes substantial churn to the priority tree. This can consume excess CPU. - CVE-2023-44487:
The HTTP/2 protocol allows a denial of service (server resource
consumption) because request cancellation can reset many streams quickly,
as exploited in the wild in August through October 2023.
-ii libnghttp2-14:amd64 1.43.0-1ubuntu0.1 amd64 library implementing HTTP/2 protocol (shared library)
+ii libnghttp2-14:amd64 1.43.0-1ubuntu0.2 amd64 library implementing HTTP/2 protocol (shared library)
-ii linux-libc-dev:amd64 5.15.0-102.112 amd64 Linux Kernel Headers for development
+ii linux-libc-dev:amd64 5.15.0-105.115 amd64 Linux Kernel Headers for development```