USN-6505-1: nghttp2 vulnerability

Releases

• Ubuntu 23.10
• Ubuntu 23.04
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS

Packages

• nghttp2 - HTTP/2 C Library and tools

Details

It was discovered that nghttp2 incorrectly handled request cancellation. A
remote attacker could possibly use this issue to cause nghttp2 to consume
resources, leading to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 23.10

• libnghttp2-14 - 1.55.1-1ubuntu0.1
• nghttp2 - 1.55.1-1ubuntu0.1
• nghttp2-client - 1.55.1-1ubuntu0.1
• nghttp2-proxy - 1.55.1-1ubuntu0.1
• nghttp2-server - 1.55.1-1ubuntu0.1

Ubuntu 23.04

• libnghttp2-14 - 1.52.0-1ubuntu0.1
• nghttp2 - 1.52.0-1ubuntu0.1
• nghttp2-client - 1.52.0-1ubuntu0.1
• nghttp2-proxy - 1.52.0-1ubuntu0.1
• nghttp2-server - 1.52.0-1ubuntu0.1

Ubuntu 22.04

• libnghttp2-14 - 1.43.0-1ubuntu0.1
• nghttp2 - 1.43.0-1ubuntu0.1
• nghttp2-client - 1.43.0-1ubuntu0.1
• nghttp2-proxy - 1.43.0-1ubuntu0.1
• nghttp2-server - 1.43.0-1ubuntu0.1

Ubuntu 20.04

• libnghttp2-14 - 1.40.0-1ubuntu0.2
• nghttp2 - 1.40.0-1ubuntu0.2
• nghttp2-client - 1.40.0-1ubuntu0.2
• nghttp2-proxy - 1.40.0-1ubuntu0.2
• nghttp2-server - 1.40.0-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References

• CVE-2023-44487

Related notices

• USN-6427-1
• USN-6427-2
• USN-6438-1
• USN-6574-1
• USN-6754-1
• USN-6994-1
• USN-7067-1