操作系统--麒麟信安操作系统,国产操作系统,麒麟信安云桌面—

公告ID (KylinSec-SA-2023-1771)

摘要:

nghttp2 security update

安全等级: High

公告ID: KylinSec-SA-2023-1771

发布日期: 2023年10月28日

关联CVE: CVE-2023-44487

详细介绍

1. 漏洞描述

The framing layer of HTTP/2 is implemented as a form of reusable C library. On top of that, we have implemented HTTP/2 client, server and proxy. We have also developed load test and benchmarking tool for HTTP/2.

Security Fix(es):

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)

2. 影响范围

cve名称	产品	组件	是否受影响
CVE-2023-44487	KY3.4-4A	nghttp2	Fixed
CVE-2023-44487	KY3.4-5A	nghttp2	Fixed
CVE-2023-44487	KY3.5.1	nghttp2	Fixed
CVE-2023-44487	KY3.5.2	nghttp2	Fixed

3. 影响组件

nghttp2

4. 修复版本

KY3.5.1

软件名称	架构	版本号
nghttp2-help	noarch	1.46.0-4.kb1.ky3_5
libnghttp2	x86_64	1.46.0-4.kb1.ky3_5
libnghttp2-devel	x86_64	1.46.0-4.kb1.ky3_5
nghttp2	x86_64	1.46.0-4.kb1.ky3_5
libnghttp2-devel	aarch64	1.46.0-4.kb1.ky3_5
libnghttp2	aarch64	1.46.0-4.kb1.ky3_5
nghttp2	aarch64	1.46.0-4.kb1.ky3_5

KY3.4-4A

软件名称	架构	版本号
nghttp2-help	noarch	1.41.0-4.kb1.ky3_4
libnghttp2	x86_64	1.41.0-4.kb1.ky3_4
nghttp2	x86_64	1.41.0-4.kb1.ky3_4
libnghttp2-devel	x86_64	1.41.0-4.kb1.ky3_4
libnghttp2-devel	aarch64	1.41.0-4.kb1.ky3_4
libnghttp2	aarch64	1.41.0-4.kb1.ky3_4
nghttp2	aarch64	1.41.0-4.kb1.ky3_4

KY3.4-5A

软件名称	架构	版本号
nghttp2-help	noarch	1.41.0-5.kb1.ky3_4
nghttp2	x86_64	1.41.0-5.kb1.ky3_4
libnghttp2-devel	x86_64	1.41.0-5.kb1.ky3_4
libnghttp2	x86_64	1.41.0-5.kb1.ky3_4
libnghttp2	aarch64	1.41.0-5.kb1.ky3_4
nghttp2	aarch64	1.41.0-5.kb1.ky3_4
libnghttp2-devel	aarch64	1.41.0-5.kb1.ky3_4

KY3.5.2

软件名称	架构	版本号
nghttp2-help	noarch	1.46.0-5.ky3_5
libnghttp2	x86_64	1.46.0-5.ky3_5
nghttp2	x86_64	1.46.0-5.ky3_5
libnghttp2-devel	x86_64	1.46.0-5.ky3_5
libnghttp2-devel	aarch64	1.46.0-5.ky3_5
nghttp2	aarch64	1.46.0-5.ky3_5
libnghttp2	aarch64	1.46.0-5.ky3_5