CVE-2019-9515

NameCVE-2019-9515
DescriptionSome HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4508-1, DSA-4520-1
NVD severityhigh
Debian Bugs934886, 934887

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
h2o (PTS)buster, buster (security)2.2.5+dfsg2-2+deb10u1fixed
bullseye, sid2.2.5+dfsg2-3fixed
trafficserver (PTS)stretch (security), stretch7.0.0-6+deb9u2vulnerable
buster8.0.2+ds-1vulnerable
buster (security)8.0.2+ds-1+deb10u1fixed
bullseye, sid8.0.5+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
h2osource(unstable)2.2.5+dfsg2-3934886
h2osourcebuster2.2.5+dfsg2-2+deb10u1DSA-4508-1
trafficserversource(unstable)8.0.5+ds-1934887
trafficserversourcebuster8.0.2+ds-1+deb10u1DSA-4520-1
trafficserversourcestretch(unfixed)end-of-life

Notes

[stretch] - trafficserver <end-of-life> (see DSA 4520)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4
https://github.com/h2o/h2o/issues/2090
https://github.com/h2o/h2o/commit/743d6b6118c29b75d0b84ef7950a2721c32dfe3f

Search for package or bug name: Reporting problems