CVE-2019-9515

NameCVE-2019-9515
DescriptionSome HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs934886, 934887

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
h2o (PTS)buster2.2.5+dfsg2-2vulnerable
bullseye, sid2.2.5+dfsg2-3fixed
trafficserver (PTS)stretch (security), stretch7.0.0-6+deb9u2vulnerable
buster8.0.2+ds-1vulnerable
bullseye, sid8.0.3+ds-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
h2osource(unstable)2.2.5+dfsg2-3934886
trafficserversource(unstable)(unfixed)934887

Notes

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4
https://github.com/h2o/h2o/issues/2090
https://github.com/h2o/h2o/commit/743d6b6118c29b75d0b84ef7950a2721c32dfe3f

Search for package or bug name: Reporting problems