ELA-1104-1 nghttp2 security update

DoS due to bad handling of CONTINUATION frames

2024-06-01
Packagenghttp2
Version1.18.1-1+deb9u4 (stretch)
Related CVEs CVE-2024-28182


An issue has been found in nghttp2, a library, server, proxy and client implementing HTTP/2. An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in Denial of Service.



For Debian 9 stretch, these problems have been fixed in version 1.18.1-1+deb9u4.

We recommend that you upgrade your nghttp2 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.