[ALAS2-2020-1445] Amazon Linux 2 2017.12 - ALAS2-2020-1445: important priority package update for nghttp2
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2020-11080:
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
1844929: CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS
- ID
- ALAS2-2020-1445
- Severity
- important
- URL
- https://alas.aws.amazon.com/AL2/ALAS-2020-1445.html
- Published
-
2020-06-26T22:54:00
(4 years ago) - Modified
-
2020-07-01T00:02:00
(4 years ago) - Rights
- Amazon Linux Security Team
- Other Advisories
-
- ALAS-2020-1404
- ALPINE:CVE-2020-11080
- ALSA-2020:2755
- ALSA-2020:2848
- ALSA-2020:2852
- DSA-4696-1
- ELSA-2020-2755
- ELSA-2020-2848
- ELSA-2020-2852
- ELSA-2020-5765
- FEDORA-2020-43d5a372fc
- FEDORA-2020-f7d15c8b77
- FREEBSD:11FCFA8F-AC64-11EA-9DAB-000D3AB229D6
- FREEBSD:4BB56D2F-A5B0-11EA-A860-08002728F74C
- MS:CVE-2020-11080
- openSUSE-SU-2020:0802-1
- openSUSE-SU-2021:0468-1
- RHSA-2020:2755
- RHSA-2020:2848
- RHSA-2020:2852
- RLSA-2020:2755
- RLSA-2020:2848
- RLSA-2020:2852
- SUSE-SU-2020:1568-1
- SUSE-SU-2020:1575-1
- SUSE-SU-2020:1576-1
- SUSE-SU-2020:1606-1
- SUSE-SU-2020:2800-1
- SUSE-SU-2021:0930-1
- SUSE-SU-2021:0931-1
- SUSE-SU-2021:0932-1
- USN-6142-1
Source | # ID | Name | URL |
---|---|---|---|
CVE | CVE-2020-11080 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080 |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/amazonlinux/nghttp2?arch=x86_64&distro=amazonlinux-2 | amazonlinux | nghttp2 | < 1.41.0-1.amzn2 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nghttp2?arch=i686&distro=amazonlinux-2 | amazonlinux | nghttp2 | < 1.41.0-1.amzn2 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/nghttp2?arch=aarch64&distro=amazonlinux-2 | amazonlinux | nghttp2 | < 1.41.0-1.amzn2 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/nghttp2-debuginfo?arch=x86_64&distro=amazonlinux-2 | amazonlinux | nghttp2-debuginfo | < 1.41.0-1.amzn2 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nghttp2-debuginfo?arch=i686&distro=amazonlinux-2 | amazonlinux | nghttp2-debuginfo | < 1.41.0-1.amzn2 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/nghttp2-debuginfo?arch=aarch64&distro=amazonlinux-2 | amazonlinux | nghttp2-debuginfo | < 1.41.0-1.amzn2 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/libnghttp2?arch=x86_64&distro=amazonlinux-2 | amazonlinux | libnghttp2 | < 1.41.0-1.amzn2 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/libnghttp2?arch=i686&distro=amazonlinux-2 | amazonlinux | libnghttp2 | < 1.41.0-1.amzn2 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/libnghttp2?arch=aarch64&distro=amazonlinux-2 | amazonlinux | libnghttp2 | < 1.41.0-1.amzn2 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/libnghttp2-devel?arch=x86_64&distro=amazonlinux-2 | amazonlinux | libnghttp2-devel | < 1.41.0-1.amzn2 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/libnghttp2-devel?arch=i686&distro=amazonlinux-2 | amazonlinux | libnghttp2-devel | < 1.41.0-1.amzn2 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/libnghttp2-devel?arch=aarch64&distro=amazonlinux-2 | amazonlinux | libnghttp2-devel | < 1.41.0-1.amzn2 | amazonlinux-2 | aarch64 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |