Candidate: CVE-2018-1000168
CRD: 2018-04-12 15:00:00 UTC
PublicDate: 2018-05-08 15:29:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000168
 https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/
Description:
 nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input
 Validation CWE-20 vulnerability in ALTSVC frame handling that can result in
 segmentation fault leading to denial of service. This attack appears to be
 exploitable via network client. This vulnerability appears to have been
 fixed in >= 1.31.1.
Ubuntu-Description: 
Notes: 
 mdeslaur> Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0
Bugs: 
Priority: medium
Discovered-by:
Assigned-to: 
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_nghttp2:
upstream_nghttp2: released (1.31.1)
precise/esm_nghttp2: DNE
trusty_nghttp2: DNE
trusty/esm_nghttp2: DNE
xenial_nghttp2: not-affected (1.7.1-1)
artful_nghttp2: ignored (reached end-of-life)
bionic_nghttp2: released (1.30.0-1ubuntu1)
devel_nghttp2: released (1.30.0-1ubuntu1)