[ALAS-2024-1935] Amazon Linux AMI 2014.03 - ALAS-2024-1935: important priority package update for nghttp2

Severity Important

Affected Packages 8

CVEs 1

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-28182:
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Package	Affected Version
pkg:rpm/amazonlinux/nghttp2?arch=x86_64&distro=amazonlinux-1	< 1.33.0-1.1.9.amzn1
pkg:rpm/amazonlinux/nghttp2?arch=i686&distro=amazonlinux-1	< 1.33.0-1.1.9.amzn1
pkg:rpm/amazonlinux/nghttp2-debuginfo?arch=x86_64&distro=amazonlinux-1	< 1.33.0-1.1.9.amzn1
pkg:rpm/amazonlinux/nghttp2-debuginfo?arch=i686&distro=amazonlinux-1	< 1.33.0-1.1.9.amzn1
pkg:rpm/amazonlinux/libnghttp2?arch=x86_64&distro=amazonlinux-1	< 1.33.0-1.1.9.amzn1
pkg:rpm/amazonlinux/libnghttp2?arch=i686&distro=amazonlinux-1	< 1.33.0-1.1.9.amzn1
pkg:rpm/amazonlinux/libnghttp2-devel?arch=x86_64&distro=amazonlinux-1	< 1.33.0-1.1.9.amzn1
pkg:rpm/amazonlinux/libnghttp2-devel?arch=i686&distro=amazonlinux-1	< 1.33.0-1.1.9.amzn1

ID

ALAS-2024-1935

Severity

important

URL

https://alas.aws.amazon.com/ALAS-2024-1935.html

Published

2024-05-09T17:43:00
(4 months ago)

Modified

2024-05-09T17:43:00
(4 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	Name	URL
CVE	CVE-2024-28182		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28182

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/nghttp2?arch=x86_64&distro=amazonlinux-1	amazonlinux	nghttp2	< 1.33.0-1.1.9.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/nghttp2?arch=i686&distro=amazonlinux-1	amazonlinux	nghttp2	< 1.33.0-1.1.9.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/nghttp2-debuginfo?arch=x86_64&distro=amazonlinux-1	amazonlinux	nghttp2-debuginfo	< 1.33.0-1.1.9.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/nghttp2-debuginfo?arch=i686&distro=amazonlinux-1	amazonlinux	nghttp2-debuginfo	< 1.33.0-1.1.9.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/libnghttp2?arch=x86_64&distro=amazonlinux-1	amazonlinux	libnghttp2	< 1.33.0-1.1.9.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/libnghttp2?arch=i686&distro=amazonlinux-1	amazonlinux	libnghttp2	< 1.33.0-1.1.9.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/libnghttp2-devel?arch=x86_64&distro=amazonlinux-1	amazonlinux	libnghttp2-devel	< 1.33.0-1.1.9.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/libnghttp2-devel?arch=i686&distro=amazonlinux-1	amazonlinux	libnghttp2-devel	< 1.33.0-1.1.9.amzn1	amazonlinux-1	i686

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date