CVE-2019-9512

Priority
Description
Some HTTP/2 implementations are vulnerable to ping floods, potentially
leading to a denial of service. The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume excess
CPU, memory, or both.
Notes
sbeattienginx added http2 support in 1.9.5
nginx previously fixed issue for CVE-2018-16844
netty added http2 support in 4.1.0
nghttp2: nghttpd and nghttp are affected, libnghttp2 is not
twisted added http2 support in 16.3
trafficserver enabled http2 support by default in 7.0
mdeslaurPackages built using golang need to be rebuilt once the
vulnerability has been fixed. This CVE entry does not
list packages that need rebuilding outside of the main
repository or the Ubuntu variants with PPA overlays.

no details on any possible twisted fixes as of 2019-11-19
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.04 (Disco Dingo):needs-triage
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):needs-triage
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Patches:
Upstream:https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):needs-triage
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 (Focal Fossa):needs-triage
Patches:
Upstream:https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Source: h2o (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.04 (Disco Dingo):released (2.2.5+dfsg2-2+deb10u1build0.19.04.1)
Ubuntu 19.10 (Eoan Ermine):not-affected (2.2.5+dfsg2-3)
Ubuntu 20.04 (Focal Fossa):not-affected (2.2.5+dfsg2-3)
Package
Source: netty (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (http2 support not implemented)
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
Package
Source: nginx (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (fixed for CVE-2018-16844)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (fixed for CVE-2018-16844)
Ubuntu 19.04 (Disco Dingo):not-affected (fixed for CVE-2018-16844)
Ubuntu 19.10 (Eoan Ermine):not-affected (fixed for CVE-2018-16844)
Ubuntu 20.04 (Focal Fossa):not-affected (fixed for CVE-2018-16844)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan Ermine):not-affected (8.0.5+ds-1)
Ubuntu 20.04 (Focal Fossa):not-affected (8.0.5+ds-1)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (http2 support not implemented)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (http2 support not implemented)
Ubuntu 18.04 LTS (Bionic Beaver):deferred (2019-11-19)
Ubuntu 19.04 (Disco Dingo):deferred (2019-11-19)
Ubuntu 19.10 (Eoan Ermine):deferred (2019-11-19)
Ubuntu 20.04 (Focal Fossa):deferred (2019-11-19)
More Information

Updated: 2019-11-19 14:14:47 UTC (commit c00d8abd38d1d83d543bfc7aee640ba5332143eb)