[ALAS2-2020-1445] Amazon Linux 2 2017.12 - ALAS2-2020-1445: important priority package update for nghttp2
Severity
Important
Affected Packages
12
CVEs
1
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2020-11080:
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
1844929: CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS
- ID
- ALAS2-2020-1445
- Severity
- important
- URL
- https://alas.aws.amazon.com/AL2/ALAS-2020-1445.html
- Published
-
2020-06-26T22:54:00
(4 years ago) - Modified
-
2020-07-01T00:02:00
(4 years ago) - Rights
- Amazon Linux Security Team
- Other Advisories
-
-
ALAS-2020-1404
-
ALPINE:CVE-2020-11080
-
ALSA-2020:2755
-
ALSA-2020:2848
-
ALSA-2020:2852
-
DSA-4696-1
-
ELSA-2020-2755
-
ELSA-2020-2848
-
ELSA-2020-2852
-
ELSA-2020-5765
-
FEDORA-2020-43d5a372fc
-
FEDORA-2020-f7d15c8b77
-
FREEBSD:11FCFA8F-AC64-11EA-9DAB-000D3AB229D6
-
FREEBSD:4BB56D2F-A5B0-11EA-A860-08002728F74C
-
MS:CVE-2020-11080
-
openSUSE-SU-2020:0802-1
-
openSUSE-SU-2021:0468-1
-
RHSA-2020:2755
-
RHSA-2020:2848
-
RHSA-2020:2852
-
RLSA-2020:2755
-
RLSA-2020:2848
-
RLSA-2020:2852
-
SUSE-SU-2020:1568-1
-
SUSE-SU-2020:1575-1
-
SUSE-SU-2020:1576-1
-
SUSE-SU-2020:1606-1
-
SUSE-SU-2020:2800-1
-
SUSE-SU-2021:0930-1
-
SUSE-SU-2021:0931-1
-
SUSE-SU-2021:0932-1
-
USN-6142-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| CVE | CVE-2020-11080 |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:rpm/amazonlinux/nghttp2?arch=x86_64&distro=amazonlinux-2 | amazonlinux |
 nghttp2
|
< 1.41.0-1.amzn2 | amazonlinux-2 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/nghttp2?arch=i686&distro=amazonlinux-2 | amazonlinux |
nghttp2
|
< 1.41.0-1.amzn2 | amazonlinux-2 | i686 | |
| Affected | pkg:rpm/amazonlinux/nghttp2?arch=aarch64&distro=amazonlinux-2 | amazonlinux |
nghttp2
|
< 1.41.0-1.amzn2 | amazonlinux-2 | aarch64 | |
| Affected | pkg:rpm/amazonlinux/nghttp2-debuginfo?arch=x86_64&distro=amazonlinux-2 | amazonlinux |
nghttp2-debuginfo
|
< 1.41.0-1.amzn2 | amazonlinux-2 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/nghttp2-debuginfo?arch=i686&distro=amazonlinux-2 | amazonlinux |
nghttp2-debuginfo
|
< 1.41.0-1.amzn2 | amazonlinux-2 | i686 | |
| Affected | pkg:rpm/amazonlinux/nghttp2-debuginfo?arch=aarch64&distro=amazonlinux-2 | amazonlinux |
nghttp2-debuginfo
|
< 1.41.0-1.amzn2 | amazonlinux-2 | aarch64 | |
| Affected | pkg:rpm/amazonlinux/libnghttp2?arch=x86_64&distro=amazonlinux-2 | amazonlinux |
libnghttp2
|
< 1.41.0-1.amzn2 | amazonlinux-2 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/libnghttp2?arch=i686&distro=amazonlinux-2 | amazonlinux |
libnghttp2
|
< 1.41.0-1.amzn2 | amazonlinux-2 | i686 | |
| Affected | pkg:rpm/amazonlinux/libnghttp2?arch=aarch64&distro=amazonlinux-2 | amazonlinux |
libnghttp2
|
< 1.41.0-1.amzn2 | amazonlinux-2 | aarch64 | |
| Affected | pkg:rpm/amazonlinux/libnghttp2-devel?arch=x86_64&distro=amazonlinux-2 | amazonlinux |
libnghttp2-devel
|
< 1.41.0-1.amzn2 | amazonlinux-2 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/libnghttp2-devel?arch=i686&distro=amazonlinux-2 | amazonlinux |
libnghttp2-devel
|
< 1.41.0-1.amzn2 | amazonlinux-2 | i686 | |
| Affected | pkg:rpm/amazonlinux/libnghttp2-devel?arch=aarch64&distro=amazonlinux-2 | amazonlinux |
libnghttp2-devel
|
< 1.41.0-1.amzn2 | amazonlinux-2 | aarch64 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |