CVE-2019-9516 (retired)

Priority
Description
Some HTTP/2 implementations are vulnerable to a header leak, potentially
leading to a denial of service. The attacker sends a stream of headers with
a 0-length header name and 0-length header value, optionally Huffman
encoded into 1-byte or greater headers. Some implementations allocate
memory for these headers and keep the allocation alive until the session
dies. This can consume excess memory.
Notes
 sbeattie> nginx added http2 support in 1.9.5
Assigned-to
mdeslaur
Package
Source: nginx (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.10.3-0ubuntu0.16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.14.0-0ubuntu1.4)
Ubuntu 19.04 (Disco Dingo):released (1.15.9-0ubuntu1.1)
Ubuntu 19.10 (Eoan):released (1.16.1-0ubuntu1)
Patches:
Upstream:https://github.com/nginx/nginx/commit/dbdd9ffea81d9db46fb88b5eba828f2ad080d388
More Information

Updated: 2019-09-19 16:07:39 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)