Overview

File _patchinfo of Package patchinfo.12315

<patchinfo incident="12315">
  <issue tracker="bnc" id="964140">nghttp2 fails to build with GCC 6</issue>
  <issue tracker="bnc" id="966514">VUL-0: CVE-2016-1544: nghttpd,nghttp,libnghttp2_asio: Out of memory due to unlimited incoming HTTP header fields</issue>
  <issue tracker="bnc" id="1082318">Packages must not mark license files as %doc</issue>
  <issue tracker="bnc" id="962914">Typo in description of libnghttp2_asio1</issue>
  <issue tracker="bnc" id="1134616">nghttp2: fails to build with boost 1.70.0</issue>
  <issue tracker="bnc" id="1146184">VUL-1: CVE-2019-9513: nghttp2: HTTP/2 implementation is vulnerable to resource loops, potentially leading to a denial of service.</issue>
  <issue tracker="bnc" id="1125689">nghttp2 mistake in spec file</issue>
  <issue tracker="bnc" id="1146182">VUL-0: CVE-2019-9511: nghttp2: HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service</issue>
  <issue tracker="bnc" id="1088639">VUL-0: CVE-2018-1000168: nghttp2: ALTSVC frame client side DoS</issue>
  <issue tracker="bnc" id="1112438">[TRACKER] FATE #326776 - nodejs10 for W&amp;S module</issue>
  <issue tracker="bnc" id="1181358">VUL-0: CVE-2020-11080: nghttp2: HTTP/2 Large Settings Frame DoS</issue>
  <issue tracker="cve" id="2018-1000168"/>
  <issue tracker="cve" id="2019-9511"/>
  <issue tracker="cve" id="2019-9513"/>
  <issue tracker="cve" id="2016-1544"/>
  <issue tracker="fate" id="326776"/>
  <issue tracker="cve" id="2020-11080"/>
  <category>security</category>
  <rating>important</rating>
  <packager>pluskalm</packager>
  <description>This update for nghttp2 fixes the following issues:

Security issues fixed:

- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
- CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
- CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).

Bug fixes and enhancements:

- Packages must not mark license files as %doc (bsc#1082318)
- Typo in description of libnghttp2_asio1 (bsc#962914)
- Fixed mistake in spec file (bsc#1125689)
- Fixed build issue with boost 1.70.0 (bsc#1134616)
- Fixed build issue with GCC 6 (bsc#964140)
- Feature: Add W&amp;S module (FATE#326776, bsc#1112438)
  </description>
  <summary>Security update for nghttp2</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places