CVE-2019-9513 in Ubuntu

CVE-2019-9513

Priority

Description

Some HTTP/2 implementations are vulnerable to resource loops, potentially
leading to a denial of service. The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way that
causes substantial churn to the priority tree. This can consume excess CPU.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://ubuntu.com/security/notices/USN-4099-1

Assigned-to

mdeslaur

Notes

sbeattie	nginx added http2 support in 1.9.5 nghttp2: nghttpd and nghttp are affected, libnghttp2 is not
mdeslaur	nghttp2-server is in universe

Package

Source: nghttp2 (LP Ubuntu Debian)

Upstream:	released (1.39.2)
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	not-affected (1.39.2-1)
Ubuntu 21.10:	not-affected (1.39.2-1)
Ubuntu 22.04 LTS:	not-affected (1.39.2-1)
Ubuntu 14.04 ESM:	DNE

Patches:

Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support

Package

Source: nginx (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	released (1.14.0-0ubuntu1.4)
Ubuntu 20.04 LTS:	released (1.16.1-0ubuntu1)
Ubuntu 21.10:	released (1.16.1-0ubuntu1)
Ubuntu 16.04 ESM:	released (1.10.3-0ubuntu0.16.04.4)
Ubuntu 22.04 LTS:	released (1.16.1-0ubuntu1)
Ubuntu 14.04 ESM:	not-affected (http2 support not implemented)

Patches:

Upstream:

https://github.com/nginx/nginx/commit/39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b

Package

Source: nodejs (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	needs-triage
Ubuntu 20.04 LTS:	needs-triage
Ubuntu 21.10:	needs-triage
Ubuntu 22.04 LTS:	needs-triage
Ubuntu 14.04 ESM:	needs-triage

Patches:

More Information

Updated: 2022-04-25 00:45:10 UTC (commit ecc1009cb19540b950de59270950018900f37f15)