GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun Dec 04, 2016 11:26 am Post subject: [ GLSA 201612-06 ] nghttp2 |
|
|
Gentoo Linux Security Advisory
Title: nghttp2: Heap-use-after-free (GLSA 201612-06)
Severity: normal
Exploitable: remote
Date: December 04, 2016
Bug(s): #569518
ID: 201612-06
Synopsis
Nghttp2 is vulnerable to a heap-use-after-free flaw in idle stream
handling code.
Background
Nghttp2 is an implementation of HTTP/2 and its header compression
algorithm HPACK in C.
Affected Packages
Package: net-libs/nghttp2
Vulnerable: < 1.6.0
Unaffected: >= 1.6.0
Architectures: All supported architectures
Description
A heap-use-after-free vulnerability has been discovered in nghttp2.
Please review the CVE identifier referenced below for details.
Impact
The impact of the vulnerability is still unknown.
Workaround
There is no known workaround at this time.
Resolution
All nghttp2 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/nghttp2-1.6.0"
|
References
CVE-2015-8659 |
|