ELA-984-1 nghttp2 security update

Denial of Service

2023-10-15
Packagenghttp2
Version1.18.1-1+deb9u3 (stretch)
Related CVEs CVE-2023-44487


CVE-2023-44487 describes a flaw in the HTTP2 protocol that allows an attacker to rapidly create and cancel streams by sending a HEADERS frame immediately followed by a RST_STREAM. This can cause a denial of service due to resource exhaustion.

The applied patches mitigate this flaw by rate limiting the cancellation of streams and disconnecting the client when this limit is exceeded.



For Debian 9 stretch, these problems have been fixed in version 1.18.1-1+deb9u3.

We recommend that you upgrade your nghttp2 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.