FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-19 19:12:13 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
121fec01-c042-11e9-a73f-b36f5969f162	nghttp2 -- multiple vulnerabilities nghttp2 GitHub releases: This release fixes CVE-2019-9511 "Data Dribble" and CVE-2019-9513 "Resource Loop" vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service. CVE-2019-9513 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service. Discovery 2019-08-13 Entry 2019-08-16 libnghttp2 nghttp2 < 1.39.2 https://github.com/nghttp2/nghttp2/releases https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md CVE-2019-9511 CVE-2019-9513
4bb56d2f-a5b0-11ea-a860-08002728f74c	nghttp2 -- DoS vulnerability nghttp2 security advisories: The overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. Discovery 2020-06-02 Entry 2020-06-03 nghttp2 libnghttp2 < 1.41.0 https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr CVE-2020-11080

VuXML ID

Description

121fec01-c042-11e9-a73f-b36f5969f162

nghttp2 -- multiple vulnerabilities

nghttp2 GitHub releases:

This release fixes CVE-2019-9511 "Data Dribble" and CVE-2019-9513 "Resource Loop" vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9513 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

Discovery 2019-08-13
Entry 2019-08-16
libnghttp2
nghttp2

< 1.39.2

https://github.com/nghttp2/nghttp2/releases
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
CVE-2019-9511
CVE-2019-9513

4bb56d2f-a5b0-11ea-a860-08002728f74c

nghttp2 -- DoS vulnerability

nghttp2 security advisories:

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.

Discovery 2020-06-02
Entry 2020-06-03
nghttp2
libnghttp2

< 1.41.0

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
CVE-2020-11080