Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset
19 views
Skip to first unread message
Marco Moock
Nov 28, 2023, 11:00:06 AM11/28/23
to
Am 28.11.2023 um 08:56:28 Uhr schrieb Marold Marcus (DC-AE/ESW1):
> I would like to request an upgrade of the curl package (Linux Ubuntu
> Core 22 / Jammy) to Nghttp2 v1.57.0 because of
> CVE-2023-44487<https://github.com/advisories/GHSA-qppj-fm5r-hxr3>:
> HTTP/2 Rapid Reset.
That is the debian user mailing list, not related to Ubuntu.
Debian has curl 8.4.0 included.
Testing and unstable already have nghttp2 1.58.0.
Stable doesn't.
https://tracker.debian.org/pkg/nghttp2
Contact the maintainers (listed on the left) about that.
> I would like to request an upgrade of the curl package (Linux Ubuntu
> Core 22 / Jammy) to Nghttp2 v1.57.0 because of
> CVE-2023-44487<https://github.com/advisories/GHSA-qppj-fm5r-hxr3>:
> HTTP/2 Rapid Reset.
That is the debian user mailing list, not related to Ubuntu.
Debian has curl 8.4.0 included.
Testing and unstable already have nghttp2 1.58.0.
Stable doesn't.
https://tracker.debian.org/pkg/nghttp2
Contact the maintainers (listed on the left) about that.
Andy Smith
Nov 28, 2023, 11:10:06 AM11/28/23
to
Hi,
On Tue, Nov 28, 2023 at 08:56:28AM +0000, Marold Marcus (DC-AE/ESW1) wrote:
> I would like to request an upgrade of the curl package (Linux
> Ubuntu Core 22 / Jammy) to Nghttp2 v1.57.0 because of
> CVE-2023-44487<https://github.com/advisories/GHSA-qppj-fm5r-hxr3>:
> HTTP/2 Rapid Reset.
Your mention of the curl package is confusing since this is a bug in
Nghttp2 amongst other things, so I assume that was just an error.
Secondly, this is Debian, not Ubuntu. If you want to report
something to Ubuntu, report it to Ubuntu.
Next up, this is a user support list contributed to by users. It's
not the place to officially report bugs, at least not if you want
them to be read by the package maintainers and to have some sort of
audit trail.
Looking at:
https://security-tracker.debian.org/tracker/CVE-2023-44487
https://security-tracker.debian.org/tracker/source-package/nghttp2
I see that for some reason the bug is fixed in unstable and bullseye
(oldstable) but not stable. I can't see any open bugs in nghttp2 so
possibly it's just delayed slightly but you may want to officially
report it to Debian using "reportbug" or the instructions at
https://bugs.debian.org/.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
On Tue, Nov 28, 2023 at 08:56:28AM +0000, Marold Marcus (DC-AE/ESW1) wrote:
> I would like to request an upgrade of the curl package (Linux
> Ubuntu Core 22 / Jammy) to Nghttp2 v1.57.0 because of
> CVE-2023-44487<https://github.com/advisories/GHSA-qppj-fm5r-hxr3>:
> HTTP/2 Rapid Reset.
Nghttp2 amongst other things, so I assume that was just an error.
Secondly, this is Debian, not Ubuntu. If you want to report
something to Ubuntu, report it to Ubuntu.
Next up, this is a user support list contributed to by users. It's
not the place to officially report bugs, at least not if you want
them to be read by the package maintainers and to have some sort of
audit trail.
Looking at:
https://security-tracker.debian.org/tracker/CVE-2023-44487
https://security-tracker.debian.org/tracker/source-package/nghttp2
I see that for some reason the bug is fixed in unstable and bullseye
(oldstable) but not stable. I can't see any open bugs in nghttp2 so
possibly it's just delayed slightly but you may want to officially
report it to Debian using "reportbug" or the instructions at
https://bugs.debian.org/.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Phil Wyett
Nov 28, 2023, 3:00:06 PM11/28/23
to
On Tue, 2023-11-28 at 08:56 +0000, Marold Marcus (DC-AE/ESW1) wrote:
> Hello,
> https://nghttp2.org/blog/2023/10/10/nghttp2-v1-57-0/
> Thank you in advance.
>
> Mit freundlichen Grüßen / Best regards
>
> Marcus Marold
> ctrlX AppSoftware DC-AE/ESW1
>
> Fax +49 9352 18-5830
> marcus...@boschrexroth.de
> www.boschrexroth.com
>
> Bosch Rexroth AG
> Bgm.-Dr.-Nebel-Str. 2
> 97816 Lohr am Main
> GERMANY
>
> BOSCH REXROTH
>
>
>
> Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart HRB 23192
> Vorstand: Dr. Steffen Haack (Vorsitzender), Roland Bittenauer, Thomas Fechner, Holger von Hebel,
> Reinhard Schäfer
> Vorsitzender des Aufsichtsrats: Dr. Markus Forschner
>
>
Hi,
For Ubuntu reference of which versions are or are not affected, see:
https://ubuntu.com/security/CVE-2023-44487
Regards
Phil
--
Playing the game for the games sake.
* Debian Maintainer
Web:
* Debian Wiki: https://wiki.debian.org/PhilWyett
* Website: https://kathenas.org
Social:
* Instagram: kathenasorg
* Threads: @kathenasorg
> Hello,
> I would like to request an upgrade of the curl package (Linux Ubuntu Core 22 / Jammy) to Nghttp2
> v1.57.0 because of CVE-2023-44487: HTTP/2 Rapid Reset.
> https://nghttp2.org/blog/2023/10/10/nghttp2-v1-57-0/
> Thank you in advance.
>
> Mit freundlichen Grüßen / Best regards
>
> Marcus Marold
> ctrlX AppSoftware DC-AE/ESW1
>
> Fax +49 9352 18-5830
> marcus...@boschrexroth.de
> www.boschrexroth.com
>
> Bosch Rexroth AG
> Bgm.-Dr.-Nebel-Str. 2
> 97816 Lohr am Main
> GERMANY
>
> BOSCH REXROTH
>
>
>
> Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart HRB 23192
> Vorstand: Dr. Steffen Haack (Vorsitzender), Roland Bittenauer, Thomas Fechner, Holger von Hebel,
> Reinhard Schäfer
> Vorsitzender des Aufsichtsrats: Dr. Markus Forschner
>
>
Hi,
For Ubuntu reference of which versions are or are not affected, see:
https://ubuntu.com/security/CVE-2023-44487
Regards
Phil
--
Playing the game for the games sake.
* Debian Maintainer
Web:
* Debian Wiki: https://wiki.debian.org/PhilWyett
* Website: https://kathenas.org
Social:
* Instagram: kathenasorg
* Threads: @kathenasorg
0 new messages