http://bugzilla.opensuse.org/show_bug.cgi?id=966514 Bug ID: 966514 Summary: [VUL-0] nghttp2 CVE-2016-1544 Classification: openSUSE Product: openSUSE Tumbleweed Version: 2015* Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: mpluskal@suse.com Reporter: mpluskal@suse.com QA Contact: qa-bugs@suse.de CC: pgajdos@suse.com Found By: --- Blocker: --- Security Advisory CVE-2016-1544: Out of memory in nghttpd, nghttp, and libnghttp2_asio applications due to unlimited incoming HTTP header fields. Vulnerability nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage for the incoming HTTP header field. If peer sends specially crafted HTTP/2 HEADERS frames and CONTINUATION frames, they will crash with out of memory error. HTTP/2 uses HPACK to compress header fields. The basic idea is that HTTP header field is stored in the receiver with the numeric index number. The memory used by this storage is tightly constrained, and it is 4KiB by default. When sender sends the same header field, it just sends the corresponding numeric index number, which is usually 1 or 2 bytes. This means that after sender makes the receiver store the relatively large header field (e.g., 4KiB), and it can send specially crafted HEADERS/CONTINUATION frames which contain a lot of references to the stored header field, sender easily effectively send lots of big header fields to the receiver quite easily. nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage for received header fields, so if the peer performs the procedure described above, they will crash due to out of memory. Note that libnghttp2 itself is not affected by this vulnerability. Affected Versions Affected versions: nghttp2 <= 1.7.0 Not affected versions: nghttp2 >= 1.7.1 -- You are receiving this mail because: You are on the CC list for the bug.