CVE-2019-9514

Priority
Description
Some HTTP/2 implementations are vulnerable to a reset flood, potentially
leading to a denial of service. The attacker opens a number of streams and
sends an invalid request over each stream that should solicit a stream of
RST_STREAM frames from the peer. Depending on how the peer queues the
RST_STREAM frames, this can consume excess memory, CPU, or both.
Ubuntu-Description
It was discovered that Netty incorrectly implements HTTP/2. An attacker could
possibly use this issue to cause a denial of service.
Notes
sbeattienginx added http2 support in 1.9.5
nginx previously fixed issue for CVE-2018-16844
netty added http2 support in 4.1.0
twisted added http2 support in 16.3
trafficserver enabled http2 support by default in 7.0
mdeslaurPackages built using golang need to be rebuilt once the
vulnerability has been fixed. This CVE entry does not
list packages that need rebuilding outside of the main
repository or the Ubuntu variants with PPA overlays.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Patches:
Upstream:https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 (Focal Fossa):needs-triage
Patches:
Upstream:https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
Package
Source: grpc (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
Package
Source: h2o (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):not-affected (2.2.5+dfsg2-3)
Ubuntu 20.04 (Focal Fossa):not-affected (2.2.5+dfsg2-3)
Package
Source: netty (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (http2 support not implemented)
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
Package
Source: nginx (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (fixed for CVE-2018-16844)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (fixed for CVE-2018-16844)
Ubuntu 19.10 (Eoan Ermine):not-affected (fixed for CVE-2018-16844)
Ubuntu 20.04 (Focal Fossa):not-affected (fixed for CVE-2018-16844)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):not-affected (8.0.5+ds-1)
Ubuntu 20.04 (Focal Fossa):not-affected (8.0.5+ds-1)
Package
Upstream:released (19.10.0)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (http2 support not implemented)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (http2 support not implemented)
Ubuntu 18.04 LTS (Bionic Beaver):released (17.9.0-2ubuntu0.1)
Ubuntu 19.10 (Eoan Ermine):released (18.9.0-3ubuntu1.1)
Ubuntu 20.04 (Focal Fossa):released (18.9.0-6ubuntu1)
Patches:
Upstream:https://github.com/twisted/twisted/commit/1595d9adc21c580065d1d6036c9611c411990816
More Information

Updated: 2020-03-19 20:14:40 UTC (commit 3533a7fc1ab97702d9ed96d1b38f0316b43895d2)